НОМЗСӨМІМС 


WELCOME TO 


D=FCUN 


DEF CON is a time to celebrate hacking, hijinks, curiosity, but most importantly community. 
Being with the people that get it. Not having to explain why you have a WIFI scanning 
hat on or that bottle of nitrogen you are carrying for the beverage cooling contest. Over 
the decades community has become one of the most important aspects of the con as the 
mysteries and secrets of hacking have gone mainstream. No longer an underground 
conference, we emerged above around and like it here! 


Hacking is where the rubber meets the road, where what is technically possible is different 
than what its creators imagined. Hacking has also become political as technology runs the 
world. But hacking is ultimately social, trying to understand the larger systems, building 
and breaking things together, mentoring, partnering, and ultimately even some getting 
married at DEF CON. If that’s not social | don’t know what is. 


The Jackal: RIP 
dd ? Anyone know ? 


) Sledgehammer: This dudes car 
А / A 
? Anyone know ? 


Dune: See acknowledgements 
in Neal Stephenson's 
"Cryptonomicon" 


Aleph1: BugTraq, Security Focus, 
“Smashing the stack for fun 
and profit” 

Sign: 

DEF CON 

OR 

BUST! 


F сом! 


When | started DEF CON THIRTY (1) years ago it was a simple idea: throw a party for 
hackers, phreakers, artists, lawyers, and everyone adjacent. Hear from people you would 
normally never come into contact with, and have a party. | decided against being invite 
only and to hold it in a city that never sleeps. Back then | never anticipated or imagined 
the potential of gathering people with so many different backgrounds together. 174 like to 
say it was my master plan, but really it was a combination of luck, timing, friends helping, 
and a desire from the community that made this all possible. 


| dedicate this conference to you, who have traveled to the desert in the middle of the 


summer to be with the communities you care about. | hope you make new friends and 
unlock some new knowledge. 


Cheers! 


The Dark Tangent 


Javare энт 


To. C^. 


uU toS 


МЕТШОНК 
INSTRUCTIONS 


DEF CON 30! And here we are, the DEF CON 
NOC is back, delivering the best questionable 
zero-trust network access throughout the new 
awesome Caesars Forum (not to be confused 
with the Forum Shops at Caesars. But if you go 
there, make sure to say hi to Micah, #1 Genius 
Bar Employee <3), Flamingo, LINQ and Harrah's 
conference floors. Machine Learning, Al 
optimization, shiftleft, ІРу7 and Malört drinking, 
it all should be working by the time you are 
reading this. 


Now to the important stuff, what should you do 
in order to connect to Wi-Fi? 


Remember there are three (and no more than 
three) official ESSIDs you should use to HACK 
THE PLANET!!!: 


- The encrypted one with 802.1X authentication 
and digital certificate verification: DefCon 


- The (other, yet legit) encrypted one with 802.1X 
authentication and digital certificate verification. 
But also, with some shiny WPA3 benefits: 
DefCon-WPA3 


- And the original, unencrypted, stick-shift, no 
ABS, wildest-westest of the wireless networks: 
DefCon-Open 


“Choice. The problem is choice” 


Wi-Fi and 802.1X authentication have had a 
pretty good relationship іп the past few years. 
And, believe or not, we test stuff before we go 
onsite. But things might change and there might 
be some devices out there that really do not like 
802.1X with PEAP authentication. 


Important 802.1X fact: By configuring 802.1X 
and choosing for your device to “not verify 
server certificate” will probably not only let that 
device connect to one of the hundreds of rogue 
access points on the show floor but will also send 
your login credentials to a rogue radius seryef. 
Despite technology advancements, this is still no 
bueno and defeats the whole purpose of this 
authentication method. 


And the usual Guy Fieri special: Be an As 
of cyber common sense (™), and do Va 

repeat, do NOT choose the same.credentials 

(aka: username and password)'used for stuff 
that matters: shopping sites; online-bankihg;the ~ 
twitterz AND, especially your windows domains ^ 
(yeah, it keeps.happening) to connect to the 
hacker cofiference network. Make something up, 
be creative and funny. 


> 


| ға " 


For updated information and instructions on 
how to connect to the Wi-Fi with the nOt-s0-1337 
Operating Systems along with the link to 
download the digital certificate to be used, visit: 


https://wifireg.defcon.org. 


And if you don’t know how to properly configure 
the Wi-Fiz on your üb3r-1337 linux distro, you 
should consider a new platform. 


For NOC updates visit https://noc.defcon.org , 
and also follow us on twitter @DEFCON_NOC. 


Peace, love and taco grease! 


DCTU RETURNS! 


DEFCON will be televised! Visit 
https://dctv.defcon.org 


for the latest info including hotels, channels, and 
limited streaming. 


DEF CON 30 
CONUENTION MEDIR 
SERUER 


All DC 30 Content is HERE 


https://10.0.0.16/ РА 4 

ог т PERS 
“СС Z ^ 

https://dc30-medi "defcon.org/ in. d 
i» 


Find shis-yedf’s presentation materials, music, 
white papers, slides, and more plus leech files 
rom all the past DEF CON conferences and the 
infocon.org conference archives! - 
"d 


We-expect you to-leech at full speed, and jhe 
server is warmed up and.ready to go, Enjoy! 


To make things easier for you here are some 
example wget commands: 


EXAMPLE wget command 16 download all of DEF 


-CON-25: 


ден -np -m "hftps://dc30-media.defcon.org/ 
infocon.org/cons/DEF CON/DEF CON 25/” 


ж” 


CODE ВЕ CONDUCT⁄¿/R3SOURCES 


Last updated 3.6.15 


DEF CON provides a forum for open 
discussion between participants, where radical 
viewpoints are welcome and a high degree of 
skepticism is expected. However, insulting or 
harassing other participants is unacceptable. 
We want DEF CON to be a safe and 
productive environment for everyone. It’s not 
about what you look like but what's in your 
mind and how you present yourself that counts 


at DEF CON. 


We do not condone harassment against any 
participant, for any reason. Harassment 
includes deliberate intimidation and targeting 
individuals in a manner that makes them feel 
uncomfortable, unwelcome, or afraid. 


Participants asked to stop any harassing 
behavior are expected to comply immediately. 
We reserve the right to respond to harassment 
in the manner we deem appropriate, including 
but not limited to expulsion without refund and 
referral to the relevant authorities. 


This Code of Conduct applies to everyone 
participating at DEF CON - from attendees and 
exhibitors to speakers, press, volunteers, and 
Goons. 


Anyone can report harassment. If you аге 
being harassed, notice that someone else is 
being harassed, ог һауе апу other.concerns, 
you can contact а Goon, go fo the registration 
desk, or info booth: 


Conference staff will be happy to help 
participants contact hotel security, local 

law enforcement, or otherwise assist those 
experiencing harassment to feel safe for the 
duration of DEF CON. 


Remember: The CON is what you make of it, 
and as a community we can create a great 
experience for everyone. 


- The Dark Tangent 


Sometimes you may not want.to contact a 
Goon at the Info Booth or walking around in 
регзоп-муЙһ a problem, and for the second 
year in a row we have a phone option to tell 
us about concerns. 


You can reach DEF CON staff during 

normal hours of operation (8am to 4am) to 
anonymously report any behavior violating 
our code of conduct or to find an empathic ear 
by calling +1 (725) 222-0934. 


For relevant issues, we are collaborating 
with several organizations including Kick at 
Darkness, The Rape Crisis Center Las Vegas, 
and the Nevada Coalition to End Domestic 
and Sexual Violence to provide expert 
resources for survivors, including dedicated 
support for LGBTQ+. 


MASK P@LICY 
em 
СА 


СВИМ 


DEF СОМ Goons are the electrons that enable the conference to run, апа 
should you have a question or need help they are there for you. Here are 
some goon facts: 


DEF CON 30 Goons should all have visible Goon Name 


patches with their nickname on them so it is 


easier to remember who you talk to about e G 6 O N 


what. 
Goons are in one of two states, either ON duty or OFF duty. 


If they are ON DUTY they will be wearing a current year, red, DEF CON 
30 Goon shirt, a current year Goon badge, and a name patch. 


If Goons are OFF DUTY they will not be wearing the red Goon shirt, 
but may still have a Goon badge on so they can still access the meeting 
spaces. 


Goons ON DUTY are not supposed to drink alcohol. 
Goons OFF DUTY have been known to drink alcohol. 


PAST Goons may seen wearing previous red shirts or badges as they 
helped run a past DEF CON, but that DOES NOT make them a current 
DEF CON 30 Goon. 


Please use the name patch if you have any feedback on Goons, good or 
bad. Feedback can be sent to feedback@defcon.org 


Goons Goon for many reasons, but the pay isn’t one of them. They put 
in long hours and many weeks or months of planning and take time off 
work to make the con happen for everyone. Please feel free to ask them 
questions if you have any desire to join the ranks at a future Con. 


Download the official DEF CON app! It contains all of the happenings 
of DEF CON. It is easy to use and updated as things change during the 
conference. It contains all of the maps and schedules so you can plan 
your best DEF CON experience. 


No matter what part of the DEF CON 
universe you're interested in, you 
should start at the DEF CON Forums. 
With а forum account you can reach 
out to a local DEF CON group, help 
us plan future events or even chat with 
other hackers. DEF CON's heart is its 
community, and the community meets 
at the DEF CON Forums. Join us! 


HTTPS://PLAY.GOOGLE.COM/ 
STORE/APPS/DEVELOPER?ID= 
DEF+CON+COMMUNICATIONS,+INC. 


WORKSHURS SERSUUES 


WORKSHOP REGISTRATION WAS HELD ONLINE JULY STH. THERE IS NO ONSITE 
REGISTRATION. SIGNUP SHEET, AND ALL SEATS (INCLUDING STANDBY) ARE SOLD OUT. FOR 
MORE INFO ON THE WORKSHOPS VISIT DEFCON.ORG. PRE-REGISTRATION WILL BE ONLINE 

AGAIN FOR DEF CON 31! 


THURSDAY 


. Hands-On TCP/IP Deep 
. Dive with Wireshark - How 


Protect/hunt/respond with 
Fleet and osquery 


The Purple Malware Network Hacking 101 


T 
| Development Approach 
| 


| this stuff really worksRyan 


Holeman 


10:00-14:00 


15:00-19:00 


House of Heap Exploitation 


Introduction to Azure 
Security Finding Security 
Vulnerabilities Through 


| Pentesting Industrial Control 
| Systems 101: Capture the 
Flag! 


Introduction to Software 
Defined Radios and RF 
Hacking 


| Fuzzing 


FRIDAY 


10:00-14:00 


Finding Security 
Vulnerabilities 
Through Fuzzing 


CICD security: A new 
eldorado 


Introduction to 
Cryptographic 
Attacks 


The Art of 

Modern Malware 
Analysis: Initial 
Infection Malware, 
Infrastructure, and C2 
Frameworks 


DFIR Against the 
Digital Darkness: An 
Intro to Forensicating 
Evil 


15:00-19:00 


Hand On Mainframe 
Buffer Overflows - 
RCE Edition 


Hacking the Metal 
2: Hardware and 
the Evolution of C 
Creatures 


Securing Industrial 
Control Systems from 
the core: PLC secure 
coding practices 


From Zero To Hero In 
A Blockchain Security 


Securing Smart 
Contracts 


SATURDAY 


10:00-14:00 


Windows Defence 
Evasion and 
Fortification Primitives 


CTF 101: Breaking 
into CTFs (or "The 
Petting Zoo" - 
Breaking into CTFs) 


Pivoting, Tunneling, 
and Redirection 
Master Class 


Master Class: 
Delivering a New 
Construct in Advanced 
Volatile Memory 
Analysis for Fun and 
Profit 


Dig Dug: The Lost Art 
of Network Tunneling 


15:00-19:00 


Securing Web Apps 


Creating and 
uncovering malicious 
containers 


Hybrid Phishing 
Payloads: From 
Threat-actors to You 


Automated 
Debugging Under 
The Hood - Building 
А Programmable 
Windows Debugger 
From Scratch (In 


Python) 


Evading Detection: A 
Beginner's Guide to 
Obfuscation 


Kody Hildebrand А fe 


E 18 00: NPC: Collective. 

ay 20:08 Archwisp 
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Kody Hildebrand 


Costume Contest | 


Dual Core - 


Icetre Normal w | 

пйх08  - 21:00 Tense Future 
22:00 DJ Scythe 

23:80 DJ UNIT 77 
00:00 CaptHz 


ua. 01: Ww" 
Miss Jackalope | 4% Magik Plan 


Skittish & Bus 


Biolux 


Keith Myers 


conmusic.org 


4 : LE ¿ 
PO ЕТЕР? е TRT, 
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77 https://def 
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ARCADE PARTY 


Party at Caesars Forum - 136, 104, 105 
Saturday: 21:00 - 00:00 
Тһе Arcade Party is back! Come play your favorite classic arcade games 


while jamming out to Keith Myers DJing. Your favorite custom built 16 
player LED foosball table will be ready for some competitive games. 


This epic party is hosted by the Military Cyber Professionals 
Association (a tech ed charity) and friends. 


More info: ArcadeParty.org (open to all DEF CON attendees) 


BLANKETFORT CON 


Party at Caesars Forum - 109-110 
Saturday: 19:30 - 01:00 
Blanket Fort Con: Come for the chill vibes and diversity, stay for the 


Blanket Fort Building, Cool Lights, Music, and, Kid Friendly\Safe 
environment. Now with less Gluten and more animal onesies! 


BLUETEAM VILLAGE 


Party at LINQ Pool 
Pool Party - BTV’s Five Year Anniversary 
This year BTV will be celebrating five years at DEF CON!!! Join 


us Friday night 8pm-11pm at the LINQ pool. Libations will be 
available at the cash bar. Free tacos, sliders, and other goodies. 


Dual Core will be performing at 9pm! 


We hope to see you during this special Homecoming event. 


DC404/DC678/DC770/DC470 (ATLANTA 
METRO) MEETUP 


Meetup at Caesars Forum - 109-110 
Friday: 16:00 - 19:00 


They say Atlanta is the city too busy to hate, but it also has too much 
traffic for its widespread hacker fam to get together in a single meetup. 
So instead we're meeting up in the desert during DEF CON - the one 
time of year when intown, northern burbs, south siders, and anyone 
else connected to (or interested in!) DC404’s 20+ year legacy сап 
catch up, share stories, and make new connections. Come prepared 

to share your interests, hacks, swag, stories, and good times! 


DC702 PWNAGOTCHI PARTY 


Meetup at Caesars Forum - 110 
Thursday: 18:00 - 21:00 


Join DC702 for a Pwnagotchi party. The DC702 team will be auctioning off | 
kits and donating the proceeds to the EFF, as well as providing instructions | 
and guidance for assembly. Everyone is welcome to come by, and if you 
have your own assembled or unassembled kit, feel free to bring it! 
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DEFCON HOLLAND DC3115 & DC3120 
GROUP MEETUP 


Meetup at Bird Bar in Flamingo 
Friday: 16:00 - 19:00 


In The Netherlands ІР5 a tradition to catch up with your colleagues 
just before the end of the workday on Friday when the weekend 
starts to kick in. In The Netherlands this is called the “VrijMiBo” 
(Vrijdag/Friday - Middag/Afternoon Borrel/Drink) 


"VrijMiBo/Friday afternoon Drink" at DefCon is a perfect moment to talk 
about what your favorite thing is at DefCon, show your cool handmade 
badges, impress other hackers about your latest hacks, make new 
friends, gossip about your boss and show your cat or dog pictures. 


Vrijdag Middag Borrel, Freitag Mittags Getránk, Apéritif du 
vendredi aprés-midi, trago de viernes por la tarde. 


DENIAL, DECEPTION, AND DRINKS WITH 
MITRE ENGAGE 


Meetup at Society boardroom 
Saturday: 17:00 to 19:00 


Interested in cyber denial, deception, and adversary 
engagement? Come join the MITRE Engage team for 
conversations, war stories, and cyber shenanigans. 


FRIENDS OF BILL W 


Meetup at Caesars Forum - Unity Room 

Thursdoy: 12:00 / 17:00, Friday: ай 17:00, 

Saturday: 12:00 / 17:00, Sunday: 12:0 

For all those Friends of Bill W. looking for a meeting or just a 
quiet moment to regroup, we have you covered with meetings 
throughout #DEFCON - Noon & 5pm Thurs-Sat, Noon Sun. 


GIRLS HACK VILLAGE 


Meetup at Caesars Forum - 409 
Friday: 18:30 - 21:30 


You miss 100% of the shots you don’t take’ - Wayne Gretzky’ 
-Michael Scott” - Girls Hack Village. This meetup will be a fun 
networking event that gives attendees the opportunity to meet and 
make connections. Are you awkward at social gatherings? Are 
you the life of the party? We endeavor to create an environment 
where those on either side and anywhere in between are welcome 
and feel as though they belong. Want to grow your brand or just 
make new Hacker Summer Camp friends? Come one, come all. 


GIRLS HACK VILLAGE 9079 HOUSE PARTY 


Party at Caesars Forum - 409 
Saturday: 20:30 - 00:00 


Nostalgia, maybe? | think so. In honor of DEF СОМ 30, we're 
throwing it back to the era of slow jams and house party mixtapes. 
We'll be playing everything from power ballads and rap to 

r&b and pop. Do like Kris Kross and Jump on the opportunity 

to have a good time with good people to good music. 


VILL 
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GOTHCON (#DCGOTHCON) 


Party at Caesars Forum - 136, 104, 105 
Friday: 21:00 - 02:00 


Back for their 5th year, GOTHCON welcomes everyone to come 
dance and stomp the night away at their Techno Coven. 9pm-2am 
Friday Aug 12th. Follow @dcgothcon on twitter for updates and details 
on location. All are welcome 1b sor nazis), and dress however you 
want - whatever makes you the most comfortable and happy. 


HACKER FLAIRGROUNDS 


Meetup at Caesars Forum - Accord Boardroom 


Saturday: 20:00 - 22:00 


The destination for badge collectors, designers, and hardware hacks 

to celebrate the flashier side of DEF CON. It is a melding of the 1337 

and the ип! ее interested in hardware and loT. We see #badgelife, 
#badgelove, SAOs and badge hacking as a great potential for securing 
loT and keeping the power in the hands of the consumer by spreading 
knowledge about the craft/trade. Those involved should be celebrated for 
sharing their knowledge. Many of them do not like the limelight, so this 
gives us a chance to personally say thank you in a chill environment. 


HACKER KARAOKE 


Meetup at Caesars Forum - 133 
Friday: 19:30 - 02:00, Saturday: 19:30 - 02:00 


For those who love to sing and perform in front of others, 
we are celebrating our 14th year of Love, Laughter, and 
Song from 8 PM to 2 AM Friday and Saturday night. 


We are open to everyone of any age, and singing is not required. 


For more information visit: 


https://hackerkaraoke.org or Twitter @hackerkaraoke. 


LAWYERS MEET 


Meetup at Parlor D & The Veranda at Harrah's 
Friday: 18:00 
If you're a lawyer (recently unfrozen or otherwise), a judge 


or a law student please make a note to join Jeff McNamara 
for a friendly gettogether, drinks, and conversation. 


MEET THE DIGITAL LAB AT CONSUMER Consumer 
REPORTS Reports 


Meetup at Caesars Forum - Accord Boardroom 


Friday: 17:00 - 20:00 


Consumer Reports Digital Lab is a team of hackers, technologists 

and advocates that break the products we use every day to identify 
vulnerabilities that harm consumers. Come meet CR's resident hackers 
and learn how you can hack alongside us. We'll be showcasing our 
work in loT, VPNs, and data rights and asking you how we can better 
leverage our security testing and research to provoke industry change. 
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Meetup at Caesars Forum - 410 
Saturday: 20:00 - 22:00 


Join the Electronic Frontier Foundation - The leading non-profit fighting for 
civil liberties in the digital world- to chat about the latest developments in 
Tech and Law and how these can help each other to build a better future. 


The discussion will include updates on current EFF issues such as 
Disciplinary technologies, Stalkerware, LGBTQ+ Rights, Reproductive 
Rights, drones, updates on cases and legislation affecting security 
research, and law enforcement partnerships with industry. 


Half of this session will be given over to question-and-answer, so 
it's your chance to ask EFF questions about the law and tech. 


PILOTS AND HACKERS MEETUP 


Meetup at Caesars Forum, Caucus & Society Boardrooms 
Friday: 20:00 to 22:00 


Aerospace Village presents.... 


Buzzing the tower - a Pilot / Hacker meetup 


Whether you are a hacker, a pilot, or have an interest in either 
de are welcome to join us at Buzzing the Tower, a meetup 

osted by the Aerospace Village. Come and relax, squawk with 
others, and try your hand at our DEF CON 30 themed Flight Sim 
challenge! So please stow yovr tray table in readiness for landing 
at the destination favoured by pilots and hackers alike! 


QUEERCON MIXER 


Meetup at Caesars Forum - Chillout 
Thursday: 16:00 - 18:00, Friday: 16:00 - 18:00, Saturday: 16:00 - 18:00 


The lgbtqia* community in InfoSec is throwing a party to bring our folk 
together and have a good time. Meet others like you or hang out with 
those you've met over the years. This is a safe and inclusive space meant 
to make you feel comfortable and help you socialize with others like yov. 


QUEERCON PARTY 


Party at Caesars Forum - 108-110 
Friday: 22:00 - 01:00 


The Igbtqia+ community in InfoSec is throwing a party to bring our folk 
together and have a good time. Meet others like you or hang out with 
those you've met over the years. This is a safe and inclusive space meant 
to make you feel comfortable and help you socialize with others like yov. 


VETCON 


Party at Caesars Forum - 139, 106 


са 
4 

Saturday: 21:00 - 02:00 

Co-founded in 2018 by Jim McMurry and William Kimble, the founders 


of Milton Security and Cyber Defense Technologies, respectively, the 

VETCON conference is the official Veteran event of the DEFCON Hacker 

Conference. VETCON, through its Discord server and in person events, we 

connect and support veterans in the Information Security field. The event 

is open to all DEFCON attendees with a focus on military veterans. В 
wv 


VETCON Is a Conference for Veterans, Run by Veterans, 


During the Largest Hacker Conference, DEFCON 15 


UILLRG3S 


ССА ВЕКА 


ADVERSARY VILLAGE 


Friday: 10:00 - 17:00, Saturday: 10:00 
- 17:00, Sunday: 10:00 - 15:00 


Location: Flamingo, Scenic Ballroom 


Adversary Village is а community initiative which purely focuses 
on Adversary simulation/emulation, threat/APT emulation, 
Breach and adversarial attack simulation, supply chain security 
simulation, adversary tactics, life, adversary philosophy, 
survival skills and Purple teaming.Adversary Village will be 
organizing technical talks, workshops, live demos, Adversary 
Wars CTF, panel discussions and other hands-on activities 

on adversary simulation, emulation and purple teaming. 


This is different from any of what has been covered in the existing 
villages, because our focus is on simulation of the actions of a threat actor or an adversary 
and this being simulated here. As this domain matures, we anticipate active participation from 
enterprises, as such simulations would help immensely towards internal capacity building 
from having a “live fire” training opportunity. An increasing number of researchers too 
are focusing on building tools and techniques for simulation of various adversarial actions 
against an organization or Supply chain, instead of actual real-world exploitation. 


The goal of the Adversary Village would be to build a vendor neutral open security 
community for the researchers and organizations, who are putting together new means and 
methodologies towards the simulation/emulation of adversary tactics then purple teaming. 


Adversary Wars CTF 


Adversary Village will be hosting a СТЕ named “Adversary Wars”, where 
the participants will have to pose as adversaries and simulate adversarial 
actions against each element of the dummy target organization. 


Our end-goal is to build a CTF platform for adversary simulation/ 
emulation knowledge sharing and exercises. 


Adversary Wars would have real world simulation CTF scenarios and challenges, where the 
adversaries сап simulate.attacks and learn new attack vectors, ТТР5, techniques, etc. 


There wouldsbeé combined exercises which include different levels 
of threat/adversary emulation and purple teaming. 


Adversary Simulator booth 


Adversary Simulator booth has hands-on adversary emulation plans specific 
to a wide variety of threat-actors, these are meant to.provide the participant/ 
visitor with a better understanding of the Adversary tactics. 


This is a volunteer assisted activity where anyone, both management and technical folks 
сап come-in апа experience different categories of simulation, emulation and purple 
scenarios. AdversarysSimulator booth will be having a lab environment focused on 
recreating enterprise infrastructure, aimed at simulation and emulating various adversaries. 
Visitors will be able to view, simulate and control various ТТР5 used by adversaries. 


The simulator is meant to be a learning experience, irrespective of whether one is 
hands-on with highly sophisticated attack tactics or from the management. 


AEROSPACE ceeded 


AEROSPACE VILLAGE 
VILLAGE Friday: 10:00 - 17:00, Saturday: 


10:00 - 17:00, Sunday: 10:00 - 13:00 
Location: Caesars Forum, Forum Ballroom 112-117 


The aviation and space industries, security researchers, and the public share a common goal: 
safe, reliable, and trustworthy aviation and space operations. For too long, negative perceptions 
and fractured trust on all sides have held back collaboration between the aviation, space, and 
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security researcher communities that has advanced safety, reliability, and security of other 
industries. As the traditional domains of aviation safety and cybersecurity increasingly overlap, 
more effective collaboration between stakeholders ensures we will be Safer, sooner, together. 


UN 
Through the Aerospace Village, the security research community invites industry leaders, 
researchers ai 


icademia interested in aviation and space security, safety, and resilience — — 

to attend, und n" collaborate together to achieve our common goals. Empathy — 
апа understandin: build common ground, while acts and words likely to increase 
division E se two communities undermine these efforts. The Aerospace Village 
welcomes those who seek to improve aviation and space security, safety, and resilience 
through positive, productive collaboration among all ecosystem stakeholders. 


Our Goal 


The Aerospace Village is a volunteer team of hackers, pilots, and policy advisors who come 
from the public and private sectors. We believe the flying public deserves safe, reliable, and 
trustworthy air travel which is highly dependent on secure aviation and space operations. 


Our Mission 
Create, sustain, and grow an inclus ity focused on aerospace cybersecurity; 


rsecurity leaders; 


% 


Inspire the next generation of a 
Promote and develop aerosp: 


ч | 


\ 7208 | 
gall Village ра rticipor si 


р 
through workshops апа 
- Promoting constructive 


ork traffic 
gainst 


analysis. Its use has o 
traditional targets, such a 
systems used in self driving c 
defending and attacking these machine learning systems that t 
made aware of. This Al Village will introduce DEF CON attendee 
of the art in defending and attacking them. We will provide a setting 
large through workshops and a M. o for researchers in this area to sha 


We will have talks from our CFP, tutorials, and trainings during the earlier part of each day. : 
Friday, our afternoon sessions will focus on the ethical use of Al technologies unlying differer 
business activities and the policies around them. We have commitment from federal government 
policymakers to attend and participate in the poli nel discussion. On Saturday, our focus 
will be how Al and artists are hacking creatiy s in the visual arts and music. This 

will include a generative art workshop, a gall g, and a music performance from the 
Dadabots. Sunday will contain more talks fre nd our ending talk about Al. 
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APPSEC VILLAGE 


Friday: 10:00 - 17:00, Saturday: 18:00 
- 17:00, Sunday: 10:00 - 14:00 


Location: Flamingo, Tuilight Ballroom 


The first three AppSec Villages were a resounding success. We 
learned that whether in person or online, our AppSec community 
is fantastic. We are pumped to be back bigger and better. 


Come immerse yourself in everything the world of application security 
has to offer. Whether you are a red, blue, or purple teamer, come 
learn from the best of the best to exploit software vulnerabilities and secure software. Software is 
everywhere, and Application Security vulnerabilities are lurking around every corner, making the 
software attack Macs attractive for abuse. If you are just an AppSec nOOb or launch deserialization 
attacks for fun and profit, you will find something to tickle your interest at the AppSec Village. 


Software runs the world. Everything from loT, medical devices, the power grid, smart 
cars, voting apps - all of it has software behind it. Such a variety of topics will be reflected 
in our cadre of guest speakers representing all backgrounds and walks of life. 


AppSec Village welcomes all travelers to choose from talks by expert community members, an all 
AppSec-focused СТР, contests that challenge your mind and your skillz, and more. Bring your thirst 
for knowledge and passion for breaking things, and your visit to AppSec Village will be a thrill! 


УХ“ P P, P 


BIO HACKING 
VILLAGE 


Friday: 10:00 - 18:00, 
Saturdau: 10:00 - 18:00, 
Sunday: 10:00 - 13:00 


Location: Flamingo, Laughlin I,II,III 


DEVICE LAB: The-highly-collaborative environment builds health care, connecting 
security-researchers, manufacturers, clinicians, and regulators, to learn from each other 
and develop skills, codifying best practices and paths for high fidelity cyber safety. 


SPEAKER LAB: Speakers foster critical thinking, problem solving, human interaction literacy, 
ethics debates, creativity, and collaboration. Subject matter experts and researchers share 
the future of their research, reflecting the biological technologies and emerging threats. 


CATALYST LAB: Providing interaction with. thought leaders from the medical device 
and citizen science communities through training and hands-on workshops and solutions 
design, to cover the entirety ofthe biomedical device and security ecosystem. 


CAPTURE THE FLAG: Featuring the virtual learning environment of St. Elvis Hospital, the CTF offers 
protocol, regulatory, and biological challenges to access and assess vulnerabilities in real devices. 


TABLE TOP EXERCISES: Discussion-based sessions of increasing complexity and difficulty 
regarding vulnerabilities in a series of Machiavellian healthcare industry scenarios 


18 


%”% УХ 2 


BLACKS IN CYBERSECURITY 
VILLAGE 


The Blacks In Cybersecurity (В.І.С.) Village seeks to bring culturally 
diverse perspectives to the holistic Cybersecurity community; by 
way of a series of talks and a capture the flag event. In providing 
these activities, we hope to help highlight Black experiences, 
innovations in the field, Black culture and educate the community about Black history. 


In doing this, we believe that we can better educate and normalize the discussion of deficiency or 
prejudices in Cybersecurity education/development for minority communities. We also believe this 
effort can be translated to aid in eradication of these issues in the Cybersecurity and Hacker/Maker 
community and allow for more diverse hobbyists and professionals to engage and contribute. 
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BLUE TEAM VILLAGE 


Welcome to the other side of the | 
friends just call us BTV) is both a built by defenders 
for defenders. It’s a place to g re, and learn from each 
other about the latest tools, technologies, and tactics that our community 
can use to detect attackers and prevent them from achieving their goals. 


irror. ge Team Village (our 


BLUE ТЕЛІП 


This year BTV will be running a series of hands-on workshops and 
panel discussions that are part of BTV’s Project Obsidian project. 


Project Obsidian is an immersive, defensive cybersecurity 
learning experience that provides attendees with the op 
of Incident Response (IR), Digital Forensics RR 
Cyber Threat Intelligence (СТІ), and Cyber Th 
topics through workshops and exercises that provide pr 
each discipline. Workshops provide the training nece help deae 
skills needed to be successful in their current and/or future role 1 cyb 


Two of the most important takeaways we highlight is how to strategical 

the operational processes that support the goals and objectives behin 

‘how’ to do something is only part of the challenge. Knowing ‘when’ and ^ 
certain tasks adds the required context for developing the full story of defens 


wledge 
re (REM), 
into technical 


Sunday will include a recap and discussion on how we created three killchains that our r 
executed for Project Obsidian. We'll also discuss our approach and pedes a behind- th 


Dd Obsidian, from the ansible scripts used;to bi 
to develop our malware emulation programs will be Ж to the community under the Creative 
i 4.0 International (CC BY-NC-SA 4.0) license. 
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CAR "HACKING VILLAGE 


Friday: 10:00 - 17:00, Saturday: 10:00 
- 17:00, Sunday: 10:00 - 12:00 


Location: Caesars Forum, 
Forum Ballroom 12u-128 


Learn, hack, play. The Car Hacking Village is an 
open, collaborative space to hack actual vehicles 
that you don’t have to worry about breaking! Don’t 
have tools? We'll loan you some. Never connected 
to a car? We'll show you how. Don’t know where the 
controllers are? We'll show you how to take it apart. 


Check out CarHackingVillage.com or @CarHackVillage on Twitter for up-to-date information. 


Want to learn more about automotive hacking and cyber security? Check 
out our Discord server - https://discord.gg/JWCcTAM 


We'll also have a Car Hacking CTF which allows one to challenge their 
automotive security skills. Come learn, hack and play! 
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CLOUD VILLAGE 


Friday: 10:00 - 17:00, Saturday: 10:00 
- 17:00, Sunday: 10:00 - 13:00 


Location: Flamingo, Scenic Ballroom 


With the industry shifting towards cloud infrastructure at a 
rapid speed, the presence of an open platform to discuss 
and showcase cloud research becomes a necessity. 


Cloud village is an open platform for researchers interested in the area of cloud security. We plan 
to organize talks, tool demos, CTF;'and workshops around Cloud Security and advancements. 


Our СТЕ will be.ajeopardy style 2.5 days contest where participants will have 

to solve-challenges around Cloud infrastructure, security, recon, etc. These 
challenges will cover different cloud platforms including AWS, GCP, Azure, Digital 
Ocean, Alibaba, etc. We will also reward our top 3 teams with awards. 


ССА 


СРҮРТО РРІУАСҮ 
e VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sundau: 10:00 - 15:00 
Location: Flamingo, Uista Ballroom 


CRYPTO + PRIVACY 4 à г 
VILLAGE Crypto & Privacy Village helps bring cryptography & 
privacy knowledge and practical skills to the hacker 
community. Learn how to secure your own systems while picking up some tips and tricks on 
how to break classical and modern encryption. CPV features workshops and talks on a wide 
range of cryptography and privacy topics from experts. We'll also have some Crypto 101 talks, 
crypto-related games and puzzles, as well as running our imfamous Goldbug Challenge. 
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DATE DUPLICATION VILLAGE 


Thursday: 16:00 - 19:00 Dropoff, Friday: 
10:00 - 17:00, Saturday: 10:00 - 17:00, 
Sunday: 10:00 - 11:080 Pickup 


Location: Flamingo, exec conf ctr, 
Lake Meade and Ualleu of Fire 


The Data Duplication Village is ready for DC 30! We have all the 
updated bits and bytes available from infocon.org packed up into 
nice, neat packages. If you're looking for something to fill up all 
your unused storage, we have a few nice hash tables and all of 
the DefCon talks. Add to that just about every other security con 
talk known to human-kind! We provide а “free-to-you” service 
where of direct access to terabytes of useful data to help build those hacking skills. 


Check the schedule and/or dcddv.org for the most up-to-date information. 

HOW IT WORKS 

Тһе DDV provides a core set of drive duplicators and data content options. We accept óTB and 
larger drives on a first come, first served basis and duplicate “till we сап no longer see straight. 
Bring in your blank SATA3 drives - check them in early - to get the data you want. Come back 


in about 24 hours to pick up your data-packed drive. Space allowing, we'll accept drives all 
the way through until Saturday morning - but remember, it's FIFO - get those drives in early! 


WHAT YOU GET 
We're working on more content right up until the last minute but for dc29, we provided: 


- 6TB drive 1-3: All past hacking convention videos that DT could find, built on last years collection 
and always adding more for your data consuming appetite. 


- 6TB drive 2-3: freerainbowtables.com hash tables (1-2) 
- 6TB drive 3-3: GSM A5/1 hash tables plus remaining freerainbowtables.com data (2-2) 
The DC 30 content will be posted at dcddv.org once finalized 


DT and KnightOwl post the up-to-date details in the DC Forum thread and you 
are encouraged to ask any questions you have there as con approaches. 
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GIRLS HACK VILLAGE 


Friday: 18:080 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 18:88 - 15:00 


Location: Flamingo, Uirginia Citu III 


Girls Hack Village seeks to bring gender diverse perspectives of the 
contributions, perspectives, and issues facing women/girl hackers. 
It is a space to discuss issues affecting girls in cybersecurity and will 
| include Talks, Hands on Workshops, and Discussion Panels. The village 
гт = | will also be having anetworking event and a 90s house party. 


Sus Conference Day 1 
VILLAGE Friday, August 12; 2022 


Intro: Girls Hack Village Welcome- Tennisha Martin 


Keynote 1: Mary Chaney. 
Workshop 1: Intro to CTF 
LUNCH 


Panel 1: Leading the Way - Mari Galloway, Tennisha Martin, Rebekah Skeete, Tayla Parker, 
Monique Head, Eric Belardo, Yatia Hopkins: Moderator - Alshlon Banks 


Session 1: First Year 1&2- Tasha Halloway & Crystal Phinn 
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Workshop 2: Network Penetration Testing 
Session 2: First Year 3 -Slam 
Session 3: Varsity 1 - Melissa Miller 
Session 4: Upper Class- Chantel Simms aka Root 
Party: Shoot your Shot Networking 
Conference Day 2 
Saturday, August 13, 2022 
Keynote 2: Yatia ( Tia) Hopkins 
Session 5: Upperclassmen 1- Tanisha O'Donoghue 
Session 6: Varsity 2- Saman Fatiman 
Session 7: Upperclass 2 - Katorah Williams 
Session 8: Upperclass 3- Ebony Pierce 
LUNCH 


Panel 2: Hacking rare - Tracey Z. Maleeff, Tennisha Martin, Rebekah Skeete, Tayla Parker, 
| 


Ebony Pierce, Melissa Miller, Sonju Walker: Moderator - Tessa Cole 
Workshop 3: Protect the Pi 
Session 8: Upperclass 4- Rebekah Skeete 
Session 9: Varsity З - Tracy Z. Maleeff 
Session 10: Upperclass 5- Tessa Cole 
Closing: - Tennisha Martin 
Party: 90s House Party 
Conference Day 3 
Sunday, August 14, 2022 
Workshop 4: Mobile Penetration Testing 


“%“%% didbirsibridcdddddddddddddddddddddddddddddddddddddddddddddddle 


HAM RADIO VILLAGE 


Friday: 9:00 - 18:00, Saturday: 9:00 
- 18:00, Sunday: 10:00 - 12:00 


Location: Flamingo, Virginia City I, II 


Ham radio isn't just what your grandpa does in the shed 
out back. Radios are an important piece of technology we 
use everyday, and amateur ("ham") radio has been at the 
forefront of its development since day one - we are some 
of the original hardware hackers! DIY, exploration, and 
sharing has always been a vital part of our community and the goal of Ham Radio Village is 
to nurture this growth into the next generation with ары the amazing people аі DEF CON. 


Our village will have demos, talks, presentations, and of course, free license exams! 


So come visit Ham Radio Village to learn more about the hobby, including how antennas 
work (and how to build your own), how to actually use that software defined radio sitting 
on the shelf, how to trackdown a rogue transmitter with a handheld radio, and how you can 
*legally* transmit 1,500 Watts into the airwaves after taking a simple multiple-choice test! 
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HARDWARE. HACKING 
VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 13:00 


Location: Flamingo, ехес conf 
ctr, Red Rock VI, VII, VII 


Every day our lives become more connected to consumer 

hardware. Every day the approved uses of that hardware 

are reduced, while the real capabilities expand. Come discover 
hardware hacking tricks and tips regain some of that capacity, and 

make your own use for things! We have interactive demos to help you learn new skills. We have 

challenges to compete against fellow attendees. We have some tools to help with your fever 

dream modifications. Come share what you know and learn something new. Details @ dchhv.org 
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ICS VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Caesars Forum, Alliance 
Ballroom 314 - 319 


| Mission. ICS Village is a non-profit organization with the 
purpose of providing education and awareness of Industrial | 


Control System security. Connecting public, industry, 
media, policymakers, and others directly with ICS systems 
and experts. Providing educational tools and materials to 
increase understanding among media, policymakers, and 
general population. Providing access to ICS for security 
researchers to learn and test.Hands on instruction for industry to defend ICS systems. 


(Л 


Why. High profile Industrial Controls Systems security issues һауе grabbed 

headlines and sparked changes throughout the global supply chain. The ICS 

Village allows эз Ф of апу experience level to understand these systems апа 

how to better prepare and respond to the changing threat landscape. 

Exhibits. Interactive simulated ICS environments, such as Hack the Plan(e)t and Howdy Neighbor, 
provide safe yet realistic examples to preserve safe, secure, and reliable operations. We bring 
real components such as Programmable Logic Controllers (PLC), Human Machine Interfaces 
(HMI), Remote Telemetry Units (RTU), actuators, to simulate a realistic environment throughout 
different industrial sectors. Visitors can connect their laptops to assess these ICS devices 

with common security scanners, network sniffers to sniff the industrial traffic, and more! 


The Village provides workshops, talks, and training classes. 
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ІОТ VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Caesars Forum, Alliance 
Ballroom 310, 320 


loT Villag&_advocates for advancing security in the Internet of 
V | L L A G E Things-(loT) industry through bringing researchers and industry 
together. loT Village hosts talks by expert security researchers, 
interactive hacking labs, live bug hunting in the latest loT tech, and 
competitive loT hacking contests. Over the years loT Village has served as a platform to showcase 


Тһе Packet Hacking Village at DEF СОМ provides а learning experience for people of all skill levels, from absolute 
beginners to seasoned professionals. We host practical training, network forensics and analysis games, and the renowned 
Capture The Packet event, which has been a Black Badge contest over 10 times and draws the best of the best elite hackers 
from around the world. Our mission has always been simple: to teach people good internet safety practices, and to provide 
an atmosphere that encourages everyone to explore and learn. Everyone is welcome, period - regardless of industry or 
experience. And when it’s time to relax and escape the convention craziness, our DJs provide a chill atmosphere while they 
spin for the crowd in an open lounge area. 


An interactive look at what can happen when you let your guard down on public networks, the infamous Wall of Sheep 
passively monitors the DEF CON network looking for traffic utilizing insecure protocols. Drop by, hang out, and see for yourself 
just how easy it can be! We strive to educate the “sheep” we catch, and provide a good-natured reminder that security 
matters, and someone is always watching. 


Wall of Sheep DJ Community - WoSDJCo 


Come chill with us while we play all your favorite deep tracks, 
underground house, techno, psytrance, dubstep yodeling, breaks, and 
DnB beats mixed live all weekends. Chill and enjoy the sick beats and ill 
stylings of our talented hacker DJs while you hack all the things. Check 


website for schedule. 


м @wallofsheep 


@capturetp 


WALKTHROUGH WORKONOPO 


The Packet Hacking Village offers a revolving series of Walkthrough Workshops for people of all ages and skills, where 
participants will take a deep dive into a variety of topics. Join the self-guided journey to learn about topics like honeypots, 
botnets, RegEx, and more guided by our expert mentors! Check website for schedule of activities. 


САРТОКЕ PACKET 


Capture The Packet - CTP 


Come compete in the world’s most challenging cyber defense competition based on the Aries Security Cyber Range, 
which DT has honored as a Black Badge event over 10 years. Tear through the challenges, traverse a hostile enterprise class 
network, and diligently analyze your findings in order to make it out unscathed. Glory and prizes await those that emerge 
victorious from this upgraded labyrinth, and only the best prepared and battle hardened will escape the fiendish crucible. 
Follow us on Twitter at @Capturetp for the latest information on competition dates and times, as well as prizes. 

Teams consist of up to 2 players and can register at the CTP table in the Packet Hacking Village. 


РАСЕ INSPEC TOR 


ARIES @ SECURITY 
Packet Inspector - Beginner/Intermetiate 


The perfect introduction to network analysis, sniffing, and forensics. Do you want to understand how hackers tap into 
a network, steal passwords, and listen to conversations? Packet Inspector is your boot camp! Using a license of the world 
famous Capture The Packet engine from Aries Security, we teach hands-on skills in a controlled real-time environment. 

Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu. 
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ARIES Qp SECURITY 


Packet Detective -intermediate/Advanced 


Ready to upgrade your skills or see how you would fare in Capture The Packet? It’s time to play Packet Detective. A step 
up in difficulty from Packet Investigator, Packet Detective will test your network hunting abilities t with real-world scenarios 
at the intermediate level. Improve your network mastery in a friendly environment, learn from mentors and peers, and take 
another step closer to preparing yourself for the highly competitive Capture The Packet contest. 


а!" 


UILLRG3S 


and uncover hundreds of new vulnerabilities, giving attendees the opportunity to learn about 
the most innovative techniques to both hack and secure ІОТ. ІТ Village is organized by security 
consulting and research firm, Independent Security Evaluators (ISE), and Loudmouth Security. 


Follow both ISE (GISEsecurity) and loT Village (@loTvillage) on Twitter for updates. 
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LOCK PICK VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sundau: 10:00 - 13:00 


Location: Caesars Forum, Summit Ballroom 235 


Want to tinker with locks and tools the likes of which you've 
only seen in movies featuring police, spies, and secret 
agents? Then come on by the Lockpick Village, run by The 
Open Organization Of Lockpickers, where you will have the 
opportunity to learn hands-on how the fundamental hardware 
of physical security operates and how it can be compromised. 


The Lockpick Village is a physical security demonstration and participation area. Visitors can 
learn about the vulnerabilities of various locking devices, techniques used to exploit these 
vulnerabilities, and practice on locks of various levels of difficultly to try it themselves. 


Experts will be on hand to demonstrate and plenty of trial locks, pick tools, and other devices 
will be available for you to handle. By exploring the faults and flaws in many popular lock 
designs, you can not only learn about the fun hobby of sport-picking, but also gain a much 
stronger knowledge about the best methods and practices for protecting your own property. 
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MISINFORMATION 
VILLAGE 


Friday: 10:00 - 18:00, Saturday: 
10:00 - 18:00, Sundau: - 


Location: Caesars Forum, Summit Ballroom 218,236 


Cognitive security is the application of information security principles, practices, and 
tools to misinformation, disinformation, and influence operations. Cognitive Security 
takes а socio+technical lens to high-volume, high-velocity, and high-variety forms of 
“something is wrong on the internet”. Cognitive security can be seen as a holistic view 
of disinformation.and misinformation (гопа зесогИу practitioner’s perspective". 


MisinfoCon is a global movement focused on building solutions to promote online 
trust, boost research and'raise the profile of reliable and credible information. 


The MisinfoGon event series are a learning, social and network opportunities for the 
industry to come together and address the challenges of misinformation in all of its forms 
and interdisciplinary domains. The first MisinfoCon was held at MIT in 2017. 5 years 
later, we have hosted 8 MisininfoCon’s in Europe and the USA. This MisinfoCon 9.0. will 
feature important sessions that advance our understanding of new content moderation 
policies, regulating disinformation, protecting democratic elections and building trust. 
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PACKET HACKING VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Caesars Forum, Acadamy Ballroom 411-414, 420 


26 


rr 


PASSWORD. VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sundau: 10:00 - 15:00 


Location: Caesars Forum, Summit Ballroom 221 


| The Password Village provides training, discussion, and hands- 
on access to hardware and techniques utilized in modern 
password cracking, with an emphasis on how password 
cracking relates to your job function and the real world . No 
laptop? No problem! Feel free to use one of our terminals 
to access a pre-configured GPGPU environment to run 
password attacks against simulated real-world passwords. 
Village staff and expert volunteers will be standing by to assist you with on-the-spot training 
and introductions to Hashcat, as well as other FOSS cracking applications. Already a 
password cracking aficionado? Feel free to give a lightning talk, show off your skills, help a 
nOOb learn the basics, or engage in riveting conversation with other password crackers. 
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PAYMENT VILLAGE 
(VIRTUAL ONLY) 


Fridau: 10:00 - 18:00, Saturdau: 10:00 
- 18:00, Sundau: 10:00 - 15:00 


Location: Uirtual ONLY - Discord channels 
Payment technologies are an integral part of our lives, yet few 
of us know much about them. Have you ever wanted to learn 


how payments work? Do you know how criminals bypass security 
mechanisms on Point of Sales terminals, ATM's and digital wallets? 


Payment technologies are an integral part of our lives, yet few of us know much about them. 
Have you ever wanted to learn how payments work? Do you know how criminals bypass 
security mechanisms on Point of Sales terminals, ATM's and digital wallets? Come to the Payment 
Village and learn about the history of payments. We'll teach you how hackers gain access to 
banking endpoints, bypass fraud detection mechanisms, and ultimately, grab the money! 
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PHYSICAL SECURITY 
VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 

- 18:00, Sunday: 10:00 - 15:60 

Location: Caesars Forum, Summit Ballroom 201-202 
The Physical Security Village (formerly known as the Lock Bypass 
Village) explores the world of hardware bypasses and techniques 


generally outside of the realm of cyber security and lockpicking. Come 
learn some of these bypasses, how to fix them, апа have the opportunity to try them out for yourself! 


We'll be covering the basics, including the under-the-door-tool and latch slipping 
attacks, as well as an in-depth look at тоге complicated.bypasses. Learn about 
elevator hacking, try out alarm system#attacks at-the-sénsor and communication 
line, and have an inside look at common hardware to see how it works.. 


No prior experience or skills necessary-drop іп and learn as much or as little as you'd like! 


Looking for a oe Show us you can use lock bypass to escape from a 
pair of standard handcuffs in under 30 seconds and receive a prize! 
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POLICY@DEFCON.ORG 
Friday: 10:00 - 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 15:00 
Location: Caesars Forum, Summit Ballroom 224-222 


Interested іп the cutting edge of hacking technology and its policy implications? Interested 
in talking with policy folks wanting ап honest assessment of what is possible? 


Hackers are early users and abusers of technology, and that technology is now critical to modern life. 
As governments make policy decisions about technology hackers, researchers and academics need to 
be part of that conversation before the decisions are made, and not after policies are implemented. 


To do that DEF CON is a place for everyone on the policy and technology spectrum 
to interact, learn from each other, and improve outcomes. As with previous 
years, the Policy Team will be supporting DEF CON 30 in several ways: 


1. By helping the policy community register for the event and orient themselves with the 
opportunities to participate and join the conversation. 


2. By building connections with technical and policy experts. 


3. By providing opportunities for those interested in learning more about the challenges at the 
intersection of policy and technology. 


Our Policy program will consist of Main stage presentation and panels, daytime 
sessions in our policy track, and some evening lounges that will provide an off the 
record and more intimate setting to have policy-focused conversations. 
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QUANTUM VILLAGE 


Friday: 18:88 - 18:00, Saturday: 10:00 


ОСО 
- 18:00, Sunday: 10:00 - 15:00 О О 
Location: Caesars Forum, Summit Ballroom 212 ose O 
I! CALLING ALL QUANTUM HACKERS |! O 

Q-Day is comingl.Or is it... 


Welcome to DEF СОМ: inaugural Quantum Village. At QV we want you to come and engage with, 
explore, and discuss quantum technologies, and we have brought a few for you to play with, too! 
We have a track of talks and workshops, and hands-on interactive ways-you will learn how to use 
(and-hack) quantum tech. Come and play with quantum computers, learn about quantum sensors, 
and see that you don't need а PhD in physics to write quantum software (and maybe exploit it)!! 
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RADIO FREQUENCY VILLAGE | 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Flamingo, Eldarado Ballroom 


After 14 years of evolution, from the WiFi Village, to the Wireless 
Village, RF Hackers Sanctuary presents: The Radio Frequency Village 
at DEF CON 30. The Radio Frequency Village is an environment where people come to learn 
about the security of radio frequency (RF) transmissions, which includes wireless technology, 
applications of software defined radio (SDR), Bluetooth (BT), Zigbee, WiFi, Z-wave, RFID, IR 
and other protocols within the usable RF spectrum. As a security community we have grown 
beyond WiFi, and even beyond Bluetooth and Zigbee. The RF Village includes talks on all 
manner of radio frequency command and control as well as communication systems. 


While everyone knows about the WiFi and Bluetooth attack surfaces, most of us rely on many 
additional technologies every day. RF Hackers Sanctuary is supported by a group of experts in the 
area of information security as it relates to RF technologies. RF Hackers Sanctuary’s common purpose 
is to provide an environment in which participants may explore these technologies with a focus on 
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improving their skills through offense and defense. These learning environments are provided іп the 
form of guest speakers, panels, and Radio Frequency Capture the Flag games, to promote learning 
on cutting edge topics as it relates to radio communications. ` We promise. to still provide free WiFi. 


https://rthackers.com/the-crew 
Speaker and contest schedule can be found on our website: 
https://rfhackers.com/calendar 


Co-located with the RF Village is the RF Capture the Flag. Come for 
the talks, stay for the practice and the competition. 


^ | RECON VILLAGE 


RECON VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 


as - 18:00, Sunday: 10:00 - 13:88 
wy, Location: Ling, 3rd flr Social B and С 
Recon Village is an Open Space with Talks, Live Demos, Workshops, 
Discussions, CTFs, etc. with a common focus on Reconnaissance. 
The core objective of this village is to spread awareness about the 


importance of reconnaissance, open-source intelligence (OSINT) and demonstrate how even a small 
information about a target can cause catastrophic damage to individuals and organizations. 


As recon is a vital phase for infosec as well as investigations, folks should definitely have this 
skill set in their arsenal. People should check out Recon Village, as they get to learn novel 
osint / recon techniques, play hands-on CTF, and most of all, have fun. At RV, we keep things 
simple and the focus is on generating quality content using talks, CTF, hackathons, etc. 


We will also have our Jeopardy Style OSINT CTF Contest throughout the Village timings. Based on 
the feedback from last year, we plan to make the CTF more challenging this year. The challenges will 
be around harvesting information about target organizations, their employee’s social media profiles, 
their public svn/gits, password breach dumps, darknet, paste(s) etc. followed by active exploitation, 
bug hunting, investigation and pentest scenarios of virtual targets. All the target organizations, 
employees, servers, etc. will be created by our team and hence will not attract any legal issues. 


Similar to the previous years, there will be Awesome rewards for СТЕ winners, along with free 
t-shirts, stickers, village coins, and other schwag which attendees can grab and show off. 


Guess what! our Badge will also be more interesting this time and as usual, it will be free. 


А 


RED TEAM VILLAGE 


Friday: 10:00 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 13:00 


Location: Flamingo, Mesquite Ballroom 


Тһе Red Team Village is focused on training the art of critical 
thinking, collaboration, and strategy in offensive security. The 

RTV brings together information security professionals to share 
new tactics and techniques in offensive security. Hundreds of 
volunteers from Ж the world generate апа share content with 
other offensively minded individuals in our workshops, trainings, talks, and conferences. 


DISSABEY 
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ЛААЛ 


aco Uitte ОСА 


RETAIL НАСКІМС 
VILLAGE 


Friday: 10:00 - 18:00, Saturday: 
10:00 - 18:00, Sunday: 10:00 - 15:00 


Location: Caesars Forum, Rlliance Ballroom 
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Cha-ching. Love it or not we are surrounded by retail, be a point of sale systems, grocery 
stores, clothing stores, and more. At the Retail Hacking Village, you will be able to lay hands 
on retail technology such as point of sale units, electronic tags and systems, and more. And, 
we can dig in and explore retail talks, with insiders showing you a glimpse into this industry. 


557757755554 


ROGUES VILLAGE 


Friday: 18:88 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Ling, 3rd flr Evolution 


Rogues Village is a place to explore alternative approaches 
and uses for security concepts, tools, and techniques by 
looking to non-traditional areas of knowledge. Incorporating 
expertise from the worlds of magic, sleight of hand, con games, 
and advantage play, this village has a special emphasis on 


the overlap between Social Engineering, Physical Security, and Playful Mischief. 
SKYTALKS 303 ЕСЕ") < 
Friday: 88:38- === = е === 
18:30, Saturday: 08:30-18:30, Sunday: 08-3BDB-1u:DDO 

Location: Ling, 5th flr BLOQ 


Since DEF CON 16, Skytalks has been proud to bring you Old School DEF CON in a поп- 
recorded, off-the-record track. Talks include technical deep dives, off-the-beaten path 
discussions, nameé-and-shame rants, cool technology projects, and plenty of shenanigans. 
We pride ourselves on a simple creed: "No recording! No photographs. No bullshit.” 


777777777722 


SOCIAL ENGINEERING 
COMMUNITY 


Friday: 10:00 - 19:00, Saturday: 10:00 
- 19:00, Sunday: 10:00 - 15:00 


Location: Ling, 3rd flr Social A 


The Social Engineering Community is formed by a group of individuals 
who have a passion to enable people of all ages and backgrounds 
interested in Social Engineering with a venue to learn, discuss, 

and practice this craft. We plan to use this opportunity at DEF CON to present a community 

space that offers those elements through panels, presentations, research opportunities, and 
contests in order to act as a catalyst to foster discussion, advance the craft and create a space 

for individuals to expand their network. DEF CON attendees can either participate in these 

events (watch for our Call for Papers, Call for Contestants, Call for Research, etc.), or they 
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сап watch the events unfold and learn about Social Engineering as an audience member. 


JC and Snow plan to accomplish the above by bringing together passionate individuals to have a 
shared stake in building this community. То do this, positions which сап be-rotated such as judges, 
coaches, speakers and panelists will be offered to differt community members each year allowing 
for new faces and ideas so that more individuals have an opportunity to give back equally. You can 
stay up-to-date with the SE Community by visiting our Twitter account https://twitter.com/sec_defcon 


”А“АҢ“Х7“ “555757777772 


SOLDER SKILLS VILLAGE 
Friday: 10:00 = 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 13:00 
Location: Flamingo, exec conf ctr, Red Rock I, II, III, IV, V 


Have you ever fused metal to create electronic mayhem? Do you want to learn? Travel too far 
to take your solder tools with you? Hotel take your irons cause they thought it was a fire risk? 
Come on over to the Solder Skills village. We (Же irons and supplies. Volunteers (and some 
attendees) help teach, advise or just put out fires. We aim to grow the skill-set of the community 
and overcome inhibitions to this most basic skill to make electronic dreams happen. 


ЛЛА 


TAMPER EVIDENCE VILLAGE 
Friday: 10:00 - 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 13:00 
Location: Caesars Forum, Summit Ballroom 235 


“Tamper-evident” refers to a physical security technology that provides evidence of tampering 
(access, damage, repair, or replacement) to determine authenticity or integrity of a container 
or object(s). In practical terms, this can be a piece of tape that closes an envelope, a 

plastic detainer that secures a hasp, or an ink used to identify a legitimate document. 
Tamper-evident technologies are often confused with “tamper resistant” or “tamper proof” 
technologies which attempt to prevent tampering in the first place. Referred to individually 

as “seals,” many tamper technologies are easy to destroy, but a destroyed (or missing) seal 
would provide evidence of tampering! The goal of the TEV is to teach attendees how these 
ОБО ад work апа how many сап Бе tampered with without leaving evidence. 


“<< 557777 


УОТІМС MACHINE VILLAGE 


Friday: 18:88 - 18:00, Saturday: 10:00 
- 18:00, Sunday: 10:00 - 15:00 


Location: Caesars Forum, Alliance 
Ballroom 313-314, 320 


Voting Machine Village explores all aspects of election 
security and works to promote a more secure democracy. 
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DEF СОМ CTF 


powered Бу 


NAUTILUS INSTITUTE 


After a spectacular run by the Order of the Overflow, the 
Nautilus Institute is looking forward to bringing you the future 
of DEF CON Capture The Flag: three days of attack-defense 
action with sixteen of the best hacking teams in the world. 
Our teams will be reverse engineering, pwning, and pushing 
other hackers off their boxes in a head to head computing 
competition to directly demonstrate effective exploitation for 
the future. 


How to Qualify 

DEF CON CTF is a popular contest. Over 1200 teams played 
in DEF CON CTF Qualifiers in May, with over 200 solving 
two or more challenges. We qualified last year’s champions, 
Katzebin, and 15 of the top quals teams. 


Our competitors hacked their way through an ARM trustzone 
applet, dug deep into the Missouri Encryption Standard 
(base64, of course), and pieced together a flag by reverse 
engineering 24,315 binaries for 16 different architectures. 


Interested in bringing a team to DEF CON 31? Study up оп 
previous DEF CON CTF challenges, perfect your techniques, 
and stay tuned for news about how to qualify in 2023. 


Game schedule, Scores, and More 


https: //nautilus. institute 


Quals Scores Фї 


2649 
Spectating CTF perfect гоооі ji 
Visit the CTF room to take Balsn.217@TS].tw iie 
in the ambience of the The Duck "n 
contest. CTF is a marathon, =Sauercloud E. 
not а sprint, so the vibes іп Water Paddler VM 
the room may shift as the PTB WTL 
contest progresses through ./V /home/r/.bin/tw 1823 
Sunday. Straw Hat Е 
Enjoy yourself, learn about P a TA 
the game, but please be канаю мар 
respectful! The competitors S MN. Ls 
have worked very hard to ер m 
qualify, and distractions r3kapig = 
may not be appreciated. DiceGuesser ке 
OSUSEC 


If you have questions 


the new organizers 1148 
about CTF, members of & 1128 
the Nautilus Institute can More Bush Smoked Whackers 1084 
probably help you with ЕЕ 1054 
answers! da 1054 


Ee 


Brighter Tomorrows 
We're excited to be making the world of DEF CON CTF a 
better place. As we grow, we hope to allow more disciplines 


to flex at CTF, and we hope you'll be a part of that. Thank you 
to the CTF and DEF CON communities for this incredible 


opportunity. We hope to build a bright future for you to break. 


Announcements and News 


https: //twitter.com/nautilus ctf 


Alpac@tack is an interactive defense simulation 
suite, which challenges participants to 

apply a wide variety of tools, knowledge 

and problem-solving skills to assess 

network and log activity, and build threat 
intelligence in a honeypot environment. 


Unlike most Defcon contests, Alpac@tack 
provides a unique opportunity for participants to 
develop and hone a more holistic skill set when 
it comes to threat assessment. Other contests 

will focus on breaking machines or defending 
systems from a particular threat, where Alpac@ 
tack presents a leveled-up experience and 
challenges attendees to evaluate whether the 
honeypot is under attack, and if so, by what. 


Teams achieve success during the contest by 
expeditiously analyzing activity and accurately 
identifying threats. Every team will be presented 
with a graph and a set of tools--the game 
platform--including Wireshark, Suricata, 
Velociraptor, and Wazuh, which will act as their 
source of truth for analyzing network and logging 
activity in the honeypot. The graph will update 
every 5 seconds, reflecting events and packets 
on ports and services. Participant teams must 
then select and leverage the appropriate tools to 
investigate and determine whether the incident is 
a benign anomaly or an attack. For each event 
and packet cataloged in the game platform, the 
team submits a report classifying the activity. 


While Alpac@tack is designed for players with 
some degree of literacy in defense systems, we 
will offer an associated workshop to provide 
an overview of the relevant systems and 
technologies the day prior to the contest with 
the goal of lowering the barrier to entry. So, 
if you're a Бедіппег--ог just a little rusty- - 
don't be discouraged! Alpac@tack is for you! 


Aurore GTF 
WIII eem 


#Overview 


Last year, we organized the AutoDriving CTF as 
an official contest of DEF CON 29 (https://forum. 
defcon.org/node/237292) and did reasonably 
well: more than 100 teams participated and 93 
teams had valid scores. Last year, due to the 
pandemic, the contest was online only with on-site 
demonstrations. All the challenges were deployed 


in 3D simulators. This year, we propose a hybrid 
event with in-person challenges on-site. We also 
plan to introduce some new challenges with real 
vehicles involved, in addition to those based 

on autonomous driving simulators. We hope 

to continue the engagement with the hacking 
community to raise the awareness of real-world 
security challenges in autonomous driving. 


The AutoDriving CTF contest focuses on the 
emerging security challenges in autonomous 
driving systems. Various levels of self-driving 
functionalities, such as Al-powered perception, 
sensor fusion and route planning, are entering 
the product portfolio of automobile companies. 
From the security perspective, these Al-powered 
components not only contain common security 
problems such as memory safety bugs, but 

also introduce new threats such as rib) 
adversarial attacks and sensor manipulations. 
Two popular examples of physical adversarial 
attacks are camouflage stickers that interfere 
with vehicle detection systems, and road graffitis 
that disturb lane keeping systems. The Al- 
powered navigation add control relies on the 
fusion of multiple sensor inputs, and many of the 
sensor inputs can be manipulated by malicious 
attackers. These manipulations combined 

with logical bugs in autonomous driving 
systems pose severe threats to road safety. 


We design autonomous driving CTF 
(AutoDriving CTF) contests around the 
security challenges specific to these self- 
driving functions and components. 


The goals of the AutoDriving 
CTF are the followings: 


- Demonstrate security risks of poorly designed 
autonomous driving systems through hands- 
on challenges, increase the awareness 

of such risks in security professionals, 

and encourage them to propose defense 
solutions and tools to detect such risks. 


- Provide CTF challenges that allow players 
to learn attack and defense practices related 
to autonomous driving in a well-controlled, 
repeatable, and visible environment. 


- Build a set of vulnerable autonomous 
driving components that can be used for 
security research and defense evaluation. 


The contest is based on a Jeopardy style of CTF 
game with a set of independent challenges. A 
оа contest challenge includes а backend 
that runs autonomous driving components in 
simulated or real environments, and a frontend 
that interacts with the players. This year’s 
contest will follow the style of last year and 
includes the following types of challenges: 


- “attack”: such as constructing adversarial 
patches and spoofing fake sensor inputs, 


- “forensics”: such as investigating a security 
incident related to autonomous driving, 


- "detection": such as detecting spoofed 
sensor inputs and fake obstacles, 


- “crashme оп road!”: such as creating 
dangerous traffic patterns to expose logical 
errors in autonomous driving systems. 


Most of these challenges will be developed 
using game-engine based autonomous driving 
simulators, such as CARLA and SVL. 


The following link containssome challenge 
videos from AutoDriving CTF at DEF CON 29 


https://www.youtube.com/channel/ 
UCPPsKbVpxwk-464Klzr8xKw 


# What’s new in 2022 


This year, we will unlock new security-critical 
driving scenarios such as stop-controlled and 
signalized intersections. New difficulty levels 
will be added to challenges in such scenarios 
by integrating real downstream Al modules 
such as object tracking from open-source 
autonomous driving software like Apollo, 
Autoware and OpenPilot. For example, players 
will be required to generate adversarial masks 
which will be overlayed on the surface of a 
stop sign to prevent the self-driving vehicle from 
aris: The self-driving vehicle is equipped 
with a tracking component so merely hiding 
the stop sign in several frames will not work. 


A video demonstrating an attacked 
scenario is available at 


hitps://youtu.be/4aedG 1GNfRw 


In addition to the simulation challenges, we 
will add challenges with real vehicles in the 
loop. In this setup, the vehicle under attack 
will be placed on a rack and the driving 
environment will be displayed on a monitor in 
front of the windshield camera. We will have 
the real vehicle running in a lab and players 
and players will interact with the vehicle b 
remotely manipulating the virtual ҚТ ОЙЫН a 
environments (such as the projected road signs 
in front of the vehicle). The attack results will 
be judged based on systems logs (for open- 
source systems, such as openpilot) or dashboard 
visualizations (for closed-source vehicles). 


The following URL shows some 
specifications about the real vehicles 


https://docs.google.com/ 
document/d/1 oFC5Swn-UQ3hqIBA_ 
Pw51lo8WZqToU4TcQCb3UYocFc/ 
edit?usp-sharing 


In order to enable the audience to experience 
the-challenges more directly, we plan to set 

up a vehicle wheel controller on site this year. 
Audiences can drive themselves to compete with 
the self-driving vehicle in some of the challenges. 


# For players 


- What do players need to do to 
participate AutoDriving CTF? 


Most of the challenges do not require domain 
knowledge of autonomous driving software 

or adversarial machine learning, although 
knowledge of those helps. For example, the 
players can generate images the way they 
like (е.9., drawing, photoshopping) to fool the 
Al-components or write a short python script to 
control the vehicle. Some challenges, such as 
incident forensics likely would require players 
to learn domain knowledge such as sensor 
information format and how fusion works. 


- What do we expect players to 
learn through the CTF event? 


Players can (1) gain a deep understanding of 
real-world autonomous driving systems’ design, 
implementation, and their corresponding 
security properties and characteristics; and (2) 
learn the attack and defense practices related 
to autonomous driving in a well-controlled, 
repeatable, visible, and engaging environment. 


Gautodrivingctf 


CONTRAPTION CONTEST 


In-person Contest 


It's DEFCON 30 and the world is a tumultuous 
place. Maybe Putan has invaded NATO. 
Maybe China has invaded Taiwan or doubled 
down on its bid to claim the oddly sack-shaped 
"nine dash line". | think Pooh Bear may be 
trying to compensate for something. Whatever 
the current events, l'm going to claim WWIII 

is right around the corner and you should be 
prepared! Prepared to chill your beverage 
that is. If the world is ending, do you really 
want to see it out with a warm beverage!? | 
thought not! If I’m going out in a nuclear hellfire 
| want it to be with ice cold suds. So come оп 
down and let's get prepped! In person only 


Friday 1100 - 1400 


Maybe something on Saturday if 
beverage remains and interest exists. 
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BTC VILLAGE CAPTURE 


THE FLAG 


Hybrid Contest 


The BIC Village Capture The Flag Event is 
a aT SS style event пес іо ргасіісе 
solving challenges іп multiple categories. 


This event seeks to not only be a series of puzzles 
and challenges to solve, but a gamified way to 
learn concepts of social justice and Black history. 
The gamified and challenge oriented sections 

of the event will not only challenge one’s mind 

in problem solving and critical thinking but also 
charge one with the mission of identifying and 
learning about historical facts and figures that 
they would not otherwise be exposed to. 


https://www.blacksincyberconf.com/ctf 
GBlackInCyberCo1 


CAPTURE THE PACRET 


In Packet Hacking Village 


The time for those of hardened mettle is 
drawing near; are you prepared to battle? 


Compete in the world's most challenging 
cyber defense competition based on the Aries 
Security cyber range. Tear through hundreds 
of bleeding-edge challenges, traverse a 
hostile enterprise-class network, and diligently 
analyze the findings to escape unscathed. 
Glory and prizes await those who emerge 
victorious from this upgraded labyrinth. 


While Capture The Packet can easily scale for 
users of every level, for DEF CON we pull out all 
the stops and present our most fiendishly difficult 
puzzles. Capture The Packet has been a DEF 
CON Black Badge event for over 10 years, and 
we don't plan on stopping. This event attracts the 
best of the best from around the world to play 

- are you ready to show us what yov've got? 


https://www.capturethepacket.com/ 
@capturetp, @wallofsheep 
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CTF 


In-perso 


The Cor Hacking 
Village CTF is a 

fun interactive 
challenge which gives 
contestants first hand 
experience to interact 
with automotive 
technologies. We 
work with multiple 
automotive OE’s 

and suppliers 

to ensure our challenges give a real-world 
experience to hacking cars. We understand 
car hacking can be expensive, so please 
come check out our village and flex your 
skills in hacking automotive technologies. 


n Contest 


https://www.carhackingvillage.com/ 
@CarHackVillage 


“Мо = 


Hybrid Contest 


cqmd+ctru 


Friday 1000 PDT (GMT -7) to 
Saturday 1800 PDT (GMT -7) 


HEY HACKERS! ARE YOU LEET? PROVE 
IT BY BEATING MAILJAY, OUR NEW 
CYBER RANGE. POSTMESSAGE XSS! 
MFA BYPASS! RCE! LEENUX PRIVESC! 


Join CMD+CTRL @ DEF CON 30 
for this challenging CTF. 


CMD+CTRL Cyber Range is an interactive 
learning and hacking platform where 
development, security, IT, and other roles 
come together to build an appreciation for 
protecting the enterprise. Players learn security 
techniques in a real-world environment where 
they compete to find vulnerabilities. Real-time 
scoring keeps everyone engaged and creates 
friendly competition. Our Cloud and Ap 
Cyber Ranges incorporate authentic, fully 
functioning applications and vulnerabilities 
often found in commercial web platforms. 


At DEF CON 30: We will be debuting our latest 
Cloud Cyber Range, MailJay, which focuses on 
exploiting a modern email marketing platform 
comprised of web applications, services, and a 
variety of cloud resources. Inspired by the latest 
trends and real world exploits, try your hands at 


bypassing а WAF, НТТР Desync, postMessage 
Х55, RCE, MFA bypass, and so, so much more! 
With twice as many challenges as our past Cloud 
Ranges do you think you can complete them all? 


This year we are happy to announce that we will 
be returning to DEF CON in person. We will be 
running this event both on site and online via 
Discord. Join us Friday (8/12) through Saturday 
(8/13) for this invite-only CTF by signing up 

with the registration form below. This event is 
limited to 250 players, so save your seat now! 


Register here: hitps://forms. 
gle/3TbT4JWsTFWVwrér9 


More info: http://defcon30.cmdnctrl.net 
Twitter: @cmdnctrl_defcon 
defcon30.cmdnctrl.net(will be online shortly) 


@cmdnctrl_defcon 


(CMIYC) 


Contest 
In its 13th year, 
Logi C the premiere 
password 
contest 


"CrackMelfYouCan" is back again to challenge 
the world's best password crackers. The contest 
is broken up into Pro and Street teams - so 
“take a chill pill’ if you are new to password 
cracking (and don't have jigowatts of GPU 
power), there is still plenty of fun to be had. 
We've spent all year coming up with password- 
related challenges for our Pro teams that 

are DaBomb! So listen up home skillet, come 
see us in the Villages area where we will 

have some hella nice professional password 
crackers who are all that, and a bag of chips! 


This year's contest is going to be totally radical! 
We are like, totally psyched to be partnering 
with the Password Village this year. | kid you 
not, the contest is going to be so easy that 
even an airhead or a jock could crack these 
passwords! PYSCH! The challenges are going 
to be bodacious and like totally dope. This 
year, it is not about wordlists, rules, patterns, 
or about forensics. In the past we've asked our 
teams how passwords have changed over time... 
now we are going to ask them to go back, to 
the future of password cracking. Like, totally. 


https://contest.korelogic.com/ 
@CrackMelfYouCan 


CRASH AND COMPITE 


In-person Contest 


What happens when you take an ACM style 
programming contest, smash it head long into 
a drinking game, throw in a mix of our most 
distracting helpers, then shove the resulting 
chaos incarnate onto a stage? You get the 
contest known as Crash and Compile. 


Teams are given programming challenges and 
have to solve them with code. If your code 

fails to compile? Take a drink. Segfault? Take a 
drink. Did your code fail to produce the correct 
answer when you ran it? Take a drink. We set 
you against the clock and the other teams. And 
because our “Team Distraction” think watching 
people simply code is boring, they have taken it 
upon тних to be creative іп hindering you 
from programming, much to the enjoyment of 
the audience. At the end of the night, one team 
will have proven their ability, and walk away 
with the coveted Crash and Compile trophy. 


Crash and Compile is looking for the top 
programmers to test their skills in our contest. 
Can you complete our challenges? Can you 
do so with style that sets your team ahead 

of the others? To play our game you must 
first complete our qualifying round. Gather 
your team and see if you have the coding 
chops to secure your place as one of the 

top teams to move on to the main contest. 


Qualifications for Crash and Compile 
will take place Friday from 10am to 3pm 
online at https://crashandcompile.org. 


You may have up fo two people 

per team. (Having two people on 

a team is highly suggested) 

Of the qualifiers, nine teams will move on to 
compete head to head on the contest stage. 


The main contest takes place 
Saturday 17:00 - 20:00. 


Contest Area Stage 
web: https://crashandcompile.org/ 
@CrashAndCompile 


CREATIVE WRITING а” 


SHORT STORY CONTEST 


online Contest 


The DEF CON Short Story contest is a pre- 
con contest that is run entirely online utilizing 
the DEF CON forums, Twitter, and reddit. This 
contest follows the theme of DEF CON for the 
year and encourages hackers to roll up their 
sleeves, don their proverbial thinking cap, and 
write the best creative story that they can. The 
Short Story Contest encourages skills that are 
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invaluable іп the hacker’s world, but are often 
overlooked. Creative writing in a contest setting 
helps celebrate creativity and originality in 
arenas other than hardware or software hacking 
and provides a creative outlet for individuals who 
may not have another place to tell their stories. 


More Info: @dcshortstory 
https://twitter.com/dcshortstory 


DARRNET-NO ng — 


Hybrid Contest 


в 


Darknet-NG is an In-Person Massively Multiplayer 
Online Role Playing Game (MMO-RPG), where 
the players take on the Persona of an Agent who 
is sent on Quests to learn real skills and gain 
in-game points. If this is your first time at DEF 
CON, this is a great place to start, because we 
assume no prior knowledge. Building from basic 
concepts, we teach agents about a range of 
topics from Lock-picking, to using and decoding 
ciphers, to Electronics 101, just to name a few, 
all while also helping to connect them to the 
larger DEF CON Community. The “Learnin 
Quests” help the agent gather knowledge 27 
all across the other villages at the conference, 
while the “Challenge Quests” help hone their 
skills! Sunday Morning there is a BOSS FIGHT 
where the Agents must use their combined 

skills as a community and take on that year’s 
challenge! There is a whole skill tree Sifbersonol 
knowledge to obtain, community to connect 
with and memories to make! To get started, 
check out our site https://darknet-ng.network 
and join our growing Discord Community! 


Friday: 10 am - 4:30 pm 
Saturday: 10 am - 4:30 pm 
Sunday: 10 am- 12 pm 
https://darknet-ng:network/ 
@DarknetNg 
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BEF CON 30 CHESS 
TOURNAMENT 


In-person Contest 


4 


END 


Dus aes к 


Chess, computers, and hacking. In the 18th 
century, the Mechanical Turk appeared to play 

a good game, but there was a human ghost in 
the shell. Some of the first computer software was 
written to play chess. In 1997, world champion 
Garry Kasparov lost to Deep Blue, but he 
accused IBM of cheating, alleging that only a 
rival grandmaster could make certain moves. 


At DEF CON 30, we will run a human 

chess tournament with a “blitz” time control 
of 5 minutes on each player's clock, in a 
Swiss-system format. In each round, match 
pairings are based on similar running scores. 
Everyone plays the full tournament, and the 
winner has the highest aggregate score. 


The Las Vegas Chess Center (LVCC) will 
manage the tournament. To help crown 
the best chess player at DEF CON 30, we 
will register the rated players first, on site, 
starting one hour prior to the tournament." 


Saturday 15:00 - 18:00 Room 133 Forum 


БЕР СОМ BIKE RIDE. 


“CYCLEOVERRIDE” 


Hybrid Event 


Ағ бат on 
Friday, the 
cycle_override 
crew will be 
hosting the 
10th Defcon 
Bikeride. We 
miscounted 
last year which 
was really 

the 9th. We'll 
meet at a local 
bikeshop, 

get some 
rental bicycles, and about 7am will make the 
ride out to Red Rocks. It’s about a 15 mile ride, 


all downhill оп the return journey. So, if you 
are crazy enough fo join us, get some water, 
and head over to cycleoverride.org for more 
info. See at 6am Friday! jp_bourget gdead 
heidishmoo. Go to cycleoverride.org for more 
info. In the event that there is no on site Defcon, 
we will do a virtual ride during Defcon,. 


ECON МОВУ етн 


Hybrid Contest 


Multi User Dungeons ог MUD’s are the text 
based precursors to MMO’s. THe DEFCON 
MUD is an intentionally vulnerable game written 
in a language called LPC. The theme every 
year varies. This year we will be going back 

to the original engine as featured in DEFCON 
27. All new areas will be built to frustrate 
players. The game will launch 2 weeks before 
DEFCON and will run until DEFCON Sunday. 


Can you beat the game, can you find the sword 
of 1000 truths, can you find the exploits? 


Game opens 2 weeks before DEFCON to 
allow people time to explore and play. 
There will be a formal scoring system which 
will be released thursday evening. On site 
activity will be related to shenanigans and 
powerful item drops at random locations. 


Friday: 24 hours 
Saturday: 24 hours 
Sunday: 24 hours (scoring cutoff at noon) 


A website documenting the MUD is 
at https://mog.ninja and a CTFd is 
setup at https://ctf.mog.ninja 


БЕР CON RED TEAM СТР” 


In-person Contest 


Website: https://threatsims. 
com/redteam-2022.html 


Once again this year's DEF CON Red Team CTF 
will be hosted by Threat Simulations! We have 
an amazing, immersive scenario that stresses 
strong red team skills as players traverse through 
an enterprise network. This event is not for the 
faint of heart, first you will battle with hundreds 
of teams in a jeopardy board style ctf, then the 
top teams will enter the finals where your Red 
Team skills will be tested in a full Active Directory 
environment. Your team will compete against 
some of the best red teamers in the world as you 
exploit, pivot, and loot the-target environment. 


HUNT 


In-person Contest 


251H ANNIVERSARY 


The DEF CON Scavenger Hunt is back for 
the 25th hunt. We are gearing up to once 
again catch Las Vegas with its pants down 
#pantslessvillage. This year, we return 

to in-person only operations with up to 5 
people per дз and table submissions. 


For those new to DEF CON, or otherwise 
uninitiated, the DEF CON Scavenger Hunt is 
regarded by many as the best way to interact 
with the con. We do our best to encourage 
you to challenge your comfort zone, meet 
people, and otherwise see and do a bit of 
everything that DEF CON 30 has to offer. 
For those who have aspirations to become 
more involved with DEF CON in the future, 
many of our veteran contestants include 
goons, speakers, and contest organizers. 


So, how does a scavenger hunt run for 25 
years? As this is DEF CON, this is not your 
ordinary scavenger hunt. The list is open to 
interpretation, it is a hacker con after all, 

so hack the list. Because how you interpret 
the list is entirely out of our hands, we have 
posted trigger warnings. You will be finding 
and doing a variety SER it is up to you to 
convince the judges whatever you are turning 
in meets the criteria and is worth the points. 


You don't have to devote all of your time to play 
and have fun, come turn in a couple items and 
enjoy yourself. If you want to win however, you 
will have to scavenge as much as you can over 
the weekend. While the hunt starts on Friday 
morning, with determination and a lack of sleep, 
we have seen people start at 2AM on Saturday 


39 


night and place. Likewise, if you don’t play well 
with others, we have seen single-players also 
RES In other words, we work very hard to 

eep the barrier to entry as low as possible. You 
don't need to be some binary reversing wizard, 
and there's no qualifier to compete, you can 
just show up and win if you want it enough. 


The hunt was started by Pinguino at DEF 
CON 5 simply to avoid being bored; there 
was no hunt at DEF CON 8, for those 

doing math. In the intervening years, to 
further avoid boredom, we have been out 
scavenging and went from having a simple 
cardboard sign to a truly mesmerizing table. 


So come to the scav hunt table in the contest 
area (its hard to miss us) with a team name 
ready. Once you get a list, your assignment is 
to turn in as many items as you can before noon 
on Sunday. The team with the most points wins. 
Items are worth more points the sooner you turn 
them in, so come on down and turn in frequently. 
We want to thank Pinguino, Grifter, Siviak 

, Salem, all of the judges, and all of the 

players that have made it possible for us to 

host the 25th DEF CON Scavenger Hunt. 


The DEF CON 30 Scavenger Hunt is 
brought to you by DualD, EvilMoFo, 
Kaybz, Sconce, Shazbot, Zhora. 


THE RULES: 

1: the judges are always right 

2: not our problem 

3: make it weird 

4: don't disappoint the judge(s) 

5: team name, item number, present your item 


If you capture pictures or video of items from 
our list happening, or have some from previous 
years, please send it to us via email scavlist@ 
gmail.com . http://defconscavhunt.com/ 


GDefConScavHunt 


DEF CON S NEXT TOP 


THREAT MODEL 


Hybrid Contest 


Threat Modeling is arguably the single most 
important activity-in-àn application-security 
program and if performed early can identify 

a wide range of potential flaws before a 

single line of code has been written. While 
being so critically important there is no single 
correct way to perform Threat Modeling, many 
techniques, methodologies and/or tools exist. 


ug 


As part of our challenge we will present 
contestants with the exact same design 
and compare the outputs they produce 
against a number of categories in order 
to identify a winner and crown DEF 
CON's Next Top Threat Model(er). 


Friday: 10:00-18:00 
Saturday: 10:00-18:00 
Contest Area Stage 


BC30 HAM RADIO FOX. 
HU 


n-pers 


NT CONTEST 


Contes 


In the world of amateur radio, groups of hams 
will often put together a transmitter hunt (also 
called “fox hunting") in order to hone their 
radio direction finding skills to locate one or 
more hidden radio transmitters broadcasting. 
The Defcon Ham Radio Fox Hunt will require 
participants to locate a number of hidden radio 
transmitters broadcasting at very low power 
which are hidden throughout the conference. 
А map with rough search areas will be given 
to participants to guide them on their hunt. 
Additional hints and tips will be provided 
throughout Defcon at the contest table to help 
people who find themselves stuck. This contest 
is designed to be an introduction to ham radio 
fox hunting and as such will be simple to 
participate in and all people who participate 
will be guided VA successful completion! 


Friday: 10:00-20:00 
Saturday: 10:00-20:00 
Sunday: None 
In-person only. 
defcon27foxhunt.com 


Grichsentme 


EFF TECH TRIVIA. 


In-person Contest 


EFF’s team of technology experts have crafted 
challenging trivia about the fascinating, obscure, 
and trivial aspects of digital security, online 
rights, and Internet culture. Competing teams 
will plumb the unfathomable depths 3 their 
knowledge, but only the champion hive mind 
will claim the First Place Tech Trivia Plaque 

and EFF swag pack. The second and third 

place teams will also win great EFF gear. 


Room 410 Friday, 20:00-22:00 
https://eff.org 
@EFF 


ACR ТОНЫ. 


In-person Contest 


Hackfortress is a 
unique blend of 
Team Fortress 2 
and a computer 
security contest. 
Teams are made 
op of 6 TF2 
players and 4 
hackers, TF2 
players duke 

it out while 
hackers are busy with challenges like application 
security, network security, social engineering, or 
reverse engineering. As teams start scoring they 
can redeem points in the hack fortress store for 
bonuses. Bonuses range from crits for the TF2, 
lighting the opposing team on fire, or preventing 
the other teams hackers from accessing the 

store. HackFortress challenges range from 
beginner to advanced, from serious to absurd. 


http://hackfortress.net 
@tf2shmoo 


HACK THE PLANIEIT 


In-person Contest 


https://www.icsvillage.com/ 


https://twitter.com/ICS, Village 


Hack the Plan[e]t Capture the Flag (СТЕ) 
contest will feature Howdy Neighbor and 
the Industrial Control System (ICS) Range. 
This first of its kind CTF will integrate both 
Internet of Things (ІОТ) and ICS environments 
with interactive components for competitors 
to test their skills and knowledge. 


Howdy Neighbor is an interactive loT CTF 
challenge where competitors can test their 
hacking skills and learn about common 
erick made in development, configuration, 
and setup of loT devices. Howdy Neighbor is 

a miniature home - made to be “smart” from 
basement to garage. It’s a test-bed for reverse 
engineering and hacking distinct consumer- 
focused smart devices, and to understand 

how the (in)security of individual devices can 
implicate the safety of your home or office, 
and ultimately your family or business. Within 
Howdy Neighbor there are over 25 emulated 
or real devices and over 50 vulnerabilities 

that have been staged as challenges. Each of 
the challenges are of varying levels to test a 
competitors ability to find vulnerabilities in an 
loT environment. Howdy Neighbor’s challenges 
are composed of a real and simulated devices 
controlled by an App or Network interface 
and additional hardware sensors; each Howdy 
Neighbor device contains 1 to 3 staged 
vulnerabilities which when solved present a key 
for scoring/reporting that it was discovered. 


In the same vein, this CTF challenge will 

also leverage the ICS Village’s ICS Ranges 
including physical and virtual environments 

to provide an additional testbed for more 
advanced challenges in critical infrastructure 
and ICS environments. There will be integrated 
elements from DHS/CISA with their ranges 
that are realistically miniaturized assets (ie - 
operational oil арала даз pipeline, еіс.).. 


https://www.icsvillage.com 
GICS Village 


HACRSR RONWOY 


In-person Contest 


After 2 years virtual and one in person, we'd 
like to return to stage for our 4th year where 
this contest shines best. Hack3r Runw@y brings 
out all the sheek geeks out there. It encourages 
rethinking fashion in the eyes of hackers. Be it 
smartwear, LED additions, obfuscation, cosplay 
or just everyday wear using fabrics and textures 
that are familiar to the community. Contestants 
can enter clothing, shoes, jewelry, hats or 
accessories. If it can be worn, it is perfect for 
the runway. For convenience, contestants can 
enter the contest with designs made ahead 

of the conference, however it needs to be 


HACKER JEOPARDY 


In-person Event 
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ПОЗРТТАТ UNDER SETCE" 


Contest 


BIOHACKING 
VILLAGE 


PTURE THE FLAG 


TOT ETF CREATORS mmm 
CHALLENGE (IOT CCC) 


In-person Contest 


INDUSTRIES - OUTSIDE 
THE BOX 


In-person Contest 


What's this all about 


It's a cube that has 
loT stuff that can 

be hacked. This 
may include SDR, 
Bluetooth, Wifi, 
Infrared / Sonar, 
Zigbee, etc... People 
who hack in may 

be able to interact 
with the physical 
elements on the 

box (such as the display, door, LED array, 
speakers, etc...) and enter flags they capture 
into an online scoring engine for points. 


CTF - (THE CTF 
FORMALLY KNOWN AS 
SOHOPLESSLY BROKEN) 


In-person Contest 


loT Village Hacking CTF is hosted in loT Village, 
teams of 1-6 players access a local network filled 
with loT devices primed to be exploited. You will 
compete against others by successfully exploiting 
real loT products and finding the hidden flags 

in each. The hacking contest features more 

than 30 real-world, vulnerable lol devices. 


This event has been redesigned to include 
challenges which highlight tangible impacts 
when exploiting real vulnerabilities on real loT 
devices. Hidden in the network are devices 
which require advanced skills to exploit or 
require creative attack chaining to find the 
flag. Players will encounter unique hacking 
scenarios like, exfiltrating files off a NAS to 
find “clues” or bypassing a router firewall to 
access a camera on a hidden network to “see” 
a flag. Prepare to outwit, see, sneak, move, 
and listen your way through these hidden 
scenarios which һауе a cyber-physical effect. 


The lol devices in the contest are not simulated 
and do not contain contrived/made-up 
vulnerabilities. Competitors must figure out what 
real-world vulnerabilities exist in these devices 
and exploit them to get a shell and find the flag. 
This is what makes the loT Village CTF special. 


This 3-time DEF CON Black Badge awarded 
contest CTF is open to anyone! Our 

contest provides a wonderful experience 

to learn more about security.and test your 
skills, and the ІоТ CTF provides the most 
realistic hacking experience around! 


A few devices are approachable for entry 
level people to experience getting their first 
root shell, but to win this CTF your team must 
perform detailed network reconnaissance, 


lateral pivoting, vulnerability research, 
hardware hacking, firmware analysis, reverse 
engineering, and exploit development. 


So, join a team (or even by yourself) and 
compete for fun and prizes! Exploit as 
many as you can during the con and the 
top three teams will be rewarded. 


https://www.iotvillage.org/#yolo 
@loTvillage 


RUBERNETES CAPTURE — 


THE FLAG 


Online-only Contest 


The DEF CON 
Kubernetes Capture 
the Flag (CTF) 
contest features a 
Kubernetes-based 
CTF challenge, 
where teams and 
individuals can 
build and test 

their Kubernetes 
hacking skills. Each 
team/individual 

is given access to a single Kubernetes cluster 
that contains a set of serial challenges, winning 
flags and points as they progress. Later flags 
pose more difficulty, but count for more points. 


A scoreboard tracks the teams’ current-and 
final scores. In the event of a tie, the first 
team to achieve the score wins that tie. 


Friday: 10:00-20:00 
Saturday: 10:00-17:00 
https://containersecurityctf.com/ 


@ctfsecurity 


MAPS OF THE DIGITAL 


LANDS 


In-person Contest 


Maps of the digital lands is a fusion of network 
engineering and drawing. This is a contest for all 
levels to come and show how good you are with 
a pen. We give you a few scenarios to choose 
from and you have to draw a map to show what 
the scenario would look like. Maybe apply your 
1337 skills to show how you'd take control of the 
network! All skills are welcome. Also come join 
us for some TBD brainstorming sessions! Check 
out https://www.alienvualt.com for schedule! 


https://www.alienvualt.com 


@mapsofdigiland 
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OCTOPUS CAME. 


In-person Contest 


DE- 


Стар.» GAMES 


“Are you the next Octopus Champion? Find 
out at DEF CON 30! Enter here: https:// 
www.mirolabs.info/octopusgame 


Once entered, contestants are provided a 
random opponent. Locate your opponent and 
challenge them to a contest: rock-paper-scissors, 
Ddakji, staring contest, etc. Winners receive 
their opponents' targets and the game continues 
until we reach the top 4. The Octopus Champion 
is then decided at a special tournament with 
events designed by the Octopus Master." 


https://www.mirolabs.info/octopusgame 
@OctopusGameDC 


CAPTURE THE FLAG 


Hybrid Contest 


Do you have what it 
takes to hack WiFi, 
Bluetooth, and Software 


Defined Radio (SDR)? 


RF Hackers Sanctuary 
(the group formerly 
known as Wireless 
2! Village) із once again 
holding the Radio Frequency Capture the 

Flag (RFCTF) at DEF CON 30. RFHS runs this 
game to teach security concepts and to give 
people a safe and legal way to practice attacks 
against new and old wireless technologies. 


We cater to both those who are new to radio 
communications as well as to those who have 
been playing for a long time. We are looking 
for inexperienced players on up to the SIGINT 
secret squirrels to play our games. The RFCTF 
can be played with a little knowledge, a 

pen tester’s determination, and 50 to 55555 
worth of special equipment. Our new virtual 
КЕСТЕ сап be played completely remotely 
without needing any ы Бе 
at all, just using your web browser! The key 
is to read the clues, determine the goal of 
each challenge, and have fun learning. 


There will be clues everywhere, and we will 
provide periodic updates via discord and 
twitter. Make sure you pay attention to what's 


uu 
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happening at the КЕСТЕ desk, #rfctf on our 
discord, on Twitter rf ctf, rfhackers, and the 
interwebz, etc. If you have a question - ASK! 
We may or may not answer, at our discretion. 


FOR THE NEW FOLKS 


Our virtual RFCTF environment is played 
remotely over ssh or through a web browser. 
It may help to have additional tools installed 
on your local machine, but it isn't required. 


Read the presentations at: https:// 
rfhackers.com/resources 


Hybrid Fun 


For DEF CON 30 we will be running in "Hybrid" 
mode. That means we will have both a physical 
presence AND the virtual game. All of the 
challenges we have perfected in the last 2 years 
in our virtual game will be up and running, 
available to anyone all over the world (including 
at the conference), free of charge. In addition 
to the virtual challenges, we will also have a 
large number of "in person" only challenges. 
These "in-person" only challenges will include 
our traditional fox hunts, hide and seeks, and 
king of the hill challenges. Additionally, we will 
have many challenges which we simply haven't 
had time or ability to virtualize. It should be 
clear that playing only the virtual game will put 
you in a severe available point disadvantage. 
Please don't expect to place if you play virtual 
only, consider the game an opportunity to 

learn, practice, hone your skills, and still get 

on the scoreboard. The virtual challenges 

which are available will have the same flags 

as the in-person challenges, allowing physical 
attendees the choice of hacking those challenges 
using either (or both) methods of access. 


THE GAME 


To score you will need to submit flags which 
will range from decoding transmissions in the 
spectrum, passphrases used to gain access to 
wireless access points, or even files located on 
servers. Once you capture the flag, submit it to 
the вежах away, if you аге confident 
if is worth *positive* points. Some flags will 
be worth more points the earlier they are 
submitted, and others will be negative. Offense 
and defense are fully in play by the participants, 
the RFCTF organizers, and the Conference 
itself. Play nice, and we might also play nice. 


To play our game at DEF CON 30 join SSID: 
RFCTF_Contestant with password: iluvpentoo 


Getting started guide: https:// 
github.com/rfhs/rfhs-wiki/wiki 


Helpful files (in-brief, wordlist, resources) can 


be found at https://github.com/rfhs/wctf-files 


Support tickets may be opened at https:// 
github.com/rfhs/wctf-support/issues 


TL;DR 


Twitter: rf ctf апа rfhackers 

Discord: https://discordapp.com/invite/JjPQhKy 
Website: hitp://rfhackers.com - play with us 
Github: https://github.com/rfhs 


Official Support Ticketing System: https:// 
github.com/rths/rfctf-support/issues 


https://rfhackers.com 
@rf_ctf 


RED ALERT ICS Clr. 


In-person Contest 


Red Alert ICS CTF 
is а competition 
for Hackers by 
Hackers. The event 
exclusively focuses 
on having the 
participants break 
through several 
layers of security in 
our virtual SCADA 
environment and 
eventually take over 
complete control of the SCADA system. 


The contest would house actual ICS (Industrial 
Control System) devices from various vendors 
on a testbed showcasing different sectors of 
critical infrastructure. The participants would 
be able to view and engage with the devices 
in real time and understand how each of them 
control each of the aspects of the testbed and 
leverage this to compromise the devices. 


Red Alert ICS CTF is back with a ton of 

fun challenges after successfully running 
the CTF at DEF CON 29, DEF CON 27 

and DEF CON 26 (Black Badge). 


Highlights of the Red Alert ICS CTF is available 
at: https://youtu.be/AanKdrrQOu0 


@icsctf 


STICKER ES CN 
CONTEST 


Рге-соп contest (like the short story contest) 


Ancient warriors 
used tattoos as a 
means of indicating 
rank in battle; it was 
the sort of mark that 
told the tales of their 
various conquests - 
their struggles and 
triumphs. Similarly, 
traversing the 


sticker, design coniest 


halls of DEF CON, one can see more modern 
versions manifesting as stickers - especially 
on laptops and other electronic equipment. 


The DEF CON art contest showcases art of many 
different forms - wallpapers etc. However, there 
is not presently a medium for expression that is 
more portable and ubiquitous in hacker culture, 
especially at DEF CON. Just like DEF CON 
usually bundles stickers in its conference schedule 
booklet, which ends up on a majority of laptops 
and other devices of attendees, the winning 
entry in this contest could be either added to 

that list of stickers, or sold standalone as swag. 


We use stickers to break the ice with 
strangers, as a barter currency, to tell the 
tales of our struggles and triumphs. After 
all, is a hacker really a hacker without a 
laptop adorned with these markings? 


Here’s your chance to be part of hacker culture, 
by creating something that people around 

the world will treasure and proudly display. 
Submit original artwork in the theme of the 

con, that you believe best exemplifies hacker 
culture, that will be used as printed stickers. 


On your marks... Make your mark. 
- The contest is open to artists of 
any age, in any couniry. 


- Please submit a PNG file of no more than 6 
inches x 6 inches (or 4096 px x 4096 px), any 
shape inside these dimensions is acceptable. 


- Artwork can be an original painting, 
drawing, photo, computer generated 
illustration or screen print. 


- Artwork must be original/copyright- 
free - please do not include copyrighted 
content in your submissions. 


Submissions must be made via email 
(247arjuntdcstickers@gmail.com) 


On the forums as: hitps://forum.defcon. 
org/member/47018-247arjun 


Follow: https://twitter.com/ 
InfosecStickers For updates. 


@infosecStickers 


TETECHATIENGE о 


Hybrid Contest 


(Ф )TeleChallenge 


The TeleChallenge is a fast-paced, epic battle 
of wits and skill. Previous winners are few in 
number, and are among the most elite hackers 


at DEF CON. Designed to be played by teams, 
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апа running through the whole weekend, the 
TeleChallenge is entirely playable over a touch 
tone phone. Don't let fear е Challenge hold 
you for ransom. Your voice is your passport! 


https://www.youtube.com/channel/ 
UCWxrz1cHRbiySbDRTNDIQkg/playlists 


@TeleChallenge 


AND PRIVACY VILLAGE 
PUZZLE 


Hybrid Contest 


Love puzzles? Need a 
place to exercise your 
classical and modern 
cryptography skills? 
This puzzle will keep 
you intrigued and busy 
throughout Defcon 

- and questioning 

how deep the layers 
of cryptography 
ce Gold Bug an annual Defcon puzzle hunt, 
ocused on cryptography. You can learn about 
Caesar ciphers, brush up your understanding 

of how Enigma machines or key exchanges 
work, and try to crack harder modern crypto. 
Accessible to all - and drop by for some kids 
puzzles too!PELCGBTENCUL VF UNEQ 


https://goldbug.cryptovillage.org/ 


@CryptoVillage 


THE HACK-N-ATIACK 
HACKER HOMECOMING 
HEIST 


In-person Contest 


The Hack-n- 
Attack Hacker 
Homecoming Heist 


Real-World hacking, 
real world rewards! 
Hack-N-Attack is an 
online mobile game 
where you hack real 
world locations for 
points and prizes. 
Pizza shop? Hack 
it! Friend next to you? Hack them! If you take 
Defcon, Pokémon Go, and Oceans 11, and 
squished them all together, you'd get...a lot of 
copyright complaints. But Б Hack-N-Attack. 


The Hacker Homecoming Heist an over-the- 
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top Vegas style hacking contest for Defcon 
attendees. Once joined, attendees can 

run the game anywhere in Vegas and hack 
nearby locations for points and prizes. Wi- 
Fi Cracking? Got it. Exploit research? Got 
it. Betraying your friends for prizes? Got it! 


Throughout the weekend, we will be 
broadcasting location events, bonuses, 
and news through Twitter, Discord, and 
our YouTube live stream at our booth. 


Watch this space for more information 
on dates, prizes, and promotions. 
Hack. Slash. Crash. Burn. Fun! 
https://www.hacknattack.com 
Ghack n. attack 


THE SCHEMAVERSE — 


CHAMPIONSHIP 


Online Contest 


N 
SCHEMAWERSE 


Online Only this year. 


The Schemaverse [skee-muh vurs] is a space 
battleground that lives inside a PostgreSQL 
database. Mine the hell out of resources 
and build up your fleet of ships, all while 
trying to protect your home planet. Once 
you're ready, head out and conquer the 
map from other DEF CON rivals. 


This unique game gives you direct access to 

the database that governs the rules. Write 

SQL queries directly by connecting with any 
supported PostgreSQL client or use your favourite 
language to write Al that plays on your behalf. 
This is DEF CON of course so start working 

on your SQL Injections - anything goes! 


https://schemaverse.com 


@schemaverse 


PRESENTING A DEF CON 30 DOUBLE FEATURE 


ARRIVAL | E M REAL GENIUS 


A linguist works with the 
military to communicate 

with alien lifeforms after 
twelve mysterious spacecraft 
appear around the world., 


Yet another in a long 
series of diversions 
in an attempt to 
avoid responsibility. 


REAL GENIUS 


THE CONVERSATION [ ! j THE 13th FLOOR 
A paranoid, secretive D ы 
surveillance expert has а 


crisis of conscience when w ese г : e simulation of 1937 
he suspects that the couple 4 


he is spying on will j a Ws «Ў ` suspect when his 


A computer scientist 
a virtual reality 


becomes, the primary 


be murdered. colleague and mentor * 


is murdered. 


яа. 


ТНЕ 
THIRTEENTH 
RID. 


CHILLS! THRILLS! A QUIET PLACE TO SIT DOWN! 


TIN FOIL HAT CONTEST" 


In-person Contest 


Want to block 
those pesky 5G 
microchips coursing 
through your 
vaccinated body? 
Were you hacking 
back against 

Putin, and need to 
hide? Or do those 
alien mind control 
rays just have you 
down lately? Fear 
not, for we here 

at the Tin Foil Hat contest have your back for 
all of these! Come find us in the contest area, 
and we'll have you build a tin foil hat which is 
оона to provide top quality protection 

or your noggin. How you ask? SCIENCE! 


Show us your skills by building a tin foil 
hat to shield your subversive thoughts, 
then test it out for effectiveness. 


There are 2 categories: stock and unlimited. 
The hat in each category that causes the 
most signal attenuation will receive the 
“Substance” award for that category. We all 
know that hacker culture is all about looking 
good, though, so a single winner will be 
selected from each category for “Style”. 


http://www.psychoholics.org/tfh 
@DC_Tin_Foil_Hat 


TOXICIBO | -- — 


In-person Event 


16:00- 22:00 
Thursday, Off-site at 
Sunset Park, Pavilion F, 
(36.0636, -115.1178) 


The humans of 
Vegas invite you to 
the 16th in-carne- 
tion of this unofficial 
welcome party. 

Go AFK 4 BBQ off-Strip and make us the first 
stop on your DC30 reunion tour. Burgers and 
dogs are provided; attendees are encouraged 
to pitch in with more food, drinks, volunteer 
labor, rides, and and everything that makes 
this cookout something to remember. 


Grab flyers from an Info Booth after 
Linecon, check out https://www.toxicbbq. 
org for the history of this event, and watch 
#ToxicBBQ on Twitter for the latest news. 


https://www.toxicbbq.org 
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TRACE LABS OSINT | 


SEARCH PARTY CTF 


Hybrid Contest 


The Trace Labs 
Search Party CTF is 
a non theoretical, 
gamified effort 
that allows for the 
crowdsourcing 

of contestants to 
perform a single 
task: Conduct open 
source intelligence 
operations 

to help find missing persons 


You can have teams of 1-4 people, 4 person 
teams provide many benefits which include 

the coaching of more junior members. Often a 
great learning opportunity if you are able to 
pair up with OSINT veterans. Get your team 
together and join us in our A Group to get 
started here: https://tracelabs.org/discord 


https://www.tracelabs.org/ 
initiatives/search-party 


@tracelabs 


WHOSE sSLIDEIS TT m 
ANYWAY? 


In-person Event 


It’s our sixth year 
but since we had 
to be virtual last 
year this will 

be our 5 YEAR 
ANNIVERSARY 
show of 

“Whose Slide 

Is It Anyway?”! 
We're an unholy 
union of improv 
comedy, hacking 
and slide deck 


sado-masochism. 


Our team of slide monkeys will create a stupid 
amount of short slide decks on whatever 
nonsense tickles our fancies. Slides are not 
exclusive to technology, they can and will be 
about anything. Contestants will take the stage 
and choose a random number corresponding 
to a specific slide deck. They will then improvise 
a minimum 5 minute / maximum 10 minute 
lightning talk, becoming instant subject 

matter experts on whatever topic/stream 

of consciousness appears on the screen. 


Whether you delight in the chaos of watching 
your fellow hackers squirm or would like to 


sacrifice yourself to the Contest Gods, it’s a 
night of schadenfreude for the whole family. 


Oh, and prizes. Lots and lots of prizes. 
ImprovHacker.com 
@WhoseSlide 


SOCTAL ENGINEERING — 
COMMUNITY (SEC) 
YOUTH CHALLENGE 


In-person Contest 


CALLING ALL 
KIDS! Come 
use your 
super skills 
and powers 
to work with a 
team of heroes 
қ : DLL or villains. 
The balance of good and evil will be determined 
by individual participants completing various 
challenges in this "Choose Your Own Adventure’ 
style event. By participating in this event, you 
will have opportunities to interact and learn 
from many other incredible villages at DEF CON 
while at the same time improving your Social 
Engineering abilities. If successful, you may even 
have the chance to help your team oraval aka 
become the ultimate Superhero or Supervillain! 


Friday: 9:00 - 18:00 
Saturday: 9:00 - 18:00 
Sunday: 9:00 - 14:00 
In the SEC Village Linq 


https://www.se.community/ 
events/youth-challenge/ 


@sec_defcon 


VISHING COMPETITION / 
#SECVC 


In-person Contest 


А SociAL ENGINEERING 


In this competition, teams-go toe to toe Бу 
placing live vishing (voice phishing) phone calls 
in front of the Social Engineering Community 
audience at DEF CON. These calls showcase 
the duality of ease and complexity of the craft 
against the various levels of preparedness 


and defenses by actual companies. 


Teams can consist of 1-3 individuals, which we 
hope allows for teams to utilize novel techniques 
to implement different Social Engineering tactics. 
Each team is provided limited time to place 

as many calls as possible from a soundproof 
booth. During that time, their goal is to elicit 
from the receiver as many objectives as possible. 
Whether yov're an attacker, defender, business 
executive, or brand new to this community, you 
can learn by witnessing firsthand how easy it 

is for some competitors to schmooze their way 
to their goals and how well prepared some 
companies are to shut down those competitors! 


Friday: 9:00 - 16:00 
Saturday: 9:00 - 16:00 
In the SEC Village Linq 


https://www.sdae.community/ 
events/vishing-competition/ 


@sec_defcon 


BETTING ON YOUR. 
DIGITAL RIGHTS: EFF 
POKER TOURNAMENT 


In-person Contest 


Betting on Your Digital Rights: EFF 
Benefit Poker Tournament 


We're going all in on internet freedom. Take а 
break from hacking the Gibson to face off with 
your competition at the tables—and benefit EFF! 
Your buy-in is paired with a donation to support 
EFF’s mission to protect online privacy and free 
expression for all. Play for glory. Play for money. 
Play for the future of the web. Seating is limited, 
so reserve your spot today at eff.org/poker. 


Tournament Specs: $100 Bally’s tournament 
buy-in with a suggested donation of $250 to 
EFF to sign up. Rebuys are unlimited to level 
6 with each * q suggested donqtion of 
5100. Levels will be fifteen minutes, and the 
blinds go up at each level. Attendees must 
be 21+. More details at eff.org/poker. 


Friday, August 12th 12:00 to 15:00 
https://eff.org/poker 
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Listed by Day, Time, Track 


PANEL - “SO IT'S YOUR FIRST DEF 


CON" - HOW TO GET THE MOST 
OUT OF DEF CON, WHAT NOT 


TO DO. 

Friday at 10:00 in Track 1 

45 minutes 

DEF CON Goons 


Panel - "So It’s your first DEF CON" - How to 
get the most out of DEF CON, What NOT to 
do. This talk is a guide to enjoying DEF CON. 
We hope to talk about how to get the most out 
of your first con and asnwer questions live from 
the audience. Feel free to come meet some long 
time goons, attendees, and DEF CON staff as 
we discuss how to navigate Las Vegas hotels 
with 30k hackers surrounding around you. 


PANEL - DEF CON POLICY DEPT - 
WHAT IS IT, AND WHAT ARE WE 
TRYING TO DO FOR HACKERS IN 


THE POLICY WORLD? 
Friday at 10:00 in Track 2 

75 minutes 

DEF CON Policy Dept 


DEF CON Policy Dept - What is it, and what are 
we trying to do for hackers in the policy world? 


OLD MALWARE, NEW TOOLS: 
GHIDRA AND COMMODORE 
64, WHY UNDERSTANDING OLD 
MALICIOUS SOFTWARE STILL 


MATTERS 


Friday at 10:00 in Track 3 
45 minutes | Tool 


Cesare Pizzi 


Why looking into a 30 years old "malicious" 
software make sense in 2022? Because this little 
"jewels", written in a bunch of bytes, reached 

a level of complexity surprisingly high. With no 
other reason than pranking people or show off 
technical knowledge, this software show how 
much you can do with very limited resources: this 
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is inspiring for us, looking at modern malicious 
software, looking at how things are done and how 
the same things could have been done instead. 


COMPUTER HACKS IN THE 


RUSSIA-UKRAINE WAR 


Friday at 10:00 in Track 4 
20 minutes 


Kenneth Geers 


The Russia-Ukraine war has seen a lot of computer 
hacking, on both sides, by nations, haxor collectives, 
and random citizens, to steal, deny, alter, destroy, 
and amplify information. Satellite comms have gone 
down. Railway traffic has been stymied. Doxing 

is a weapon. Fake personas and false flags are 
expected. Every major platform has had issues with 
confidentiality, integrity, and availability. Hacked 
social media and TV have been a hall of mirrors 
and PSYOP. Russian comms are unreliable, so 
Ukrainian nets have become honeypots. Hackers 
have been shot in the kneecaps. Talking heads 
have called for a КОМЕТ shutdown. The Ukrainian 
government has appealed for hacker volunteers 

- just send your expertise, experience, and а 
reference. The Great Powers are hacking from afar, 
while defending their own critical infrastructure, 
including nuclear command-and-control. Ukraine 
has many hacker allies, while Russian hackers are 
fleeing their country in record numbers. Some 
lessons so far: connectivity is stronger than we 
thought, info ops are stealing the day, drones are 
the future, and it is always time for the next hack. 


OOPSSEC -THE BAD, THE WORST 
AND THE UGLY OF APT’S 


OPERATIONS SECURITY 


Friday at 10:30 in Track 4 
45 minutes | Demo, Tool 


Tomer Bar 


Advanced Persistent Threat groups invest in 
developing their arsenal of exploits and malware 
to stay below the radar and persist on the 

target machines for as long as possible. We 
were curious if the same efforts are invested in 
the operation security of these campaigns. 


We started a journey researching active campaigns 
from the Middle East to the Far East including the 
Palestinian Authority, Turkey, and Iran, Russia, 
China, and North Korea. These campaigns were 
both state-sponsored, surveillance-targeted attacks 
and large-scale financially-motivated attacks. 


We analyzed every technology used throughout 
the attack chain: Windows [Go-lang/.Net/ 
Delphi) and Android malware; both on 
Windows and Linux-based C2 servers. 


We found unbelievable mistakes which allow 

us to discover new advanced TTPs used by 
attackers, for example: bypassing iCloud two- 
factor authentication’ and crypto wallet and 
NFT stealing methods. We were able to join the 
attackers’ internal groups, view their chats, bank 
accounts and crypto wallets. In some cases, we 
were able to take down the entire campaign. 


We will present our latest breakthroughs from our 
seven-year mind-game against the sophisticated 
Infy threat actor who successfully ran a 15- 

year active campaign using the most secured 
opSec attack chain we’ve encountered. We 

will explain how they improved their opSec 

over the years and how we recently managed 

to monitor their activity and could even cause 

a large-scale misinformation counterattack. 


We will conclude by explaining how 
organizations can better defend themselves. 


THE PACMAN ATTACK: 
BREAKING PAC ON THE APPLE 


M1 WITH HARDWARE ATTACKS 
Friday at 11:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Joseph Ravichandran 


What do you get when you cross pointer 
authentication with microarchitectural side 
channels? 

The PACMAN attack is a new attack technique 
that can bruteforce the pointer authentication 
code (PAC) for an arbitrary kernel pointer without 
causing any crashes using microarchitectural 

side channels. We demonstrate the PACMAN 
attack against the Apple M1 CPU. 


THE DARK TANGENT & 
MKFACTOR - WELCOME TO DEF 
CON & THE MAKING OF THE 


DEF CON BADGE 


Friday at 11:00 in Track 1 
45 minutes 


The Dark Tangent 

Mkfactor, Michael and Katie Whiteley 
The Dark Tangent welcomes you to DEF CON 
and introduces the DEF CON 30 badge makers 


Mkfactor, they discuss the labor of love that 
went into producing the DEF CON 30 Badge. 


FRIDAY 


DEF CON POLICY DEPT - SPECIAL 


EDITION POLICY TALK 


Friday at 11:30 in Track 2 
45 minutes 


DEF CON Policy Dept 
TBA 


RUNNING ROOTKITS LIKE A 


NATION-STATE HACKER 


Friday at 11:30 in Track 4 
20 minutes | Demo, Tool 


Omri Misgav 


Code Integrity is a threat protection feature first 
introduced by Microsoft over 15 years ago. On 
x64-based versions of Windows, kernel drivers 
must be digitally signed and checked each time 
they are loaded into memory. This is also referred 
to as Driver Signature Enforcement (DSE). 


The passing year showed high-profile APT 
groups kept leveraging the well-known 
tampering technique to disable DSE on runtime. 
Meanwhile, Microsoft rolled out new mitigations: 
driver blocklists and Kernel Data Protection 
(KDP), a new platform security technology 

for preventing data-oriented attacks. 


Since using blocklist only narrows the attack 
vector, we focused on how KDP was applied 
in this case to eliminate the attack surface. 


We found two novel data-based attacks to 
bypass KDP-protected DSE, one of which is 
feasible in real-world scenarios. Furthermore, 
they work on all Windows versions, starting 
with the first release of DSE. We'll present each 
method and run them on live machines. 


We'll discuss why KDP is an ineffective mitigation. 
As it didn’t raise the bar against DSE tampering, 
we looked for a different approach to mitigate 

it. We'll talk about how defenders can take 

a page out of attackers’ playbook to cope 

with the issue until НҮСІ becomes prevalent 

and really eliminates this attack surface. 
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GLITCHED ON EARTH BY 
HUMANS: A BLACK-BOX 
SECURITY EVALUATION OF 
THE SPACEX STARLINK USER 


TERMINAL 


Friday at 12:00 in Track 1 
45 minutes | Demo, Exploit 


Lennert Wouters 


This presentation covers the first black-box hardware 
security evaluation of the SpaceX Starlink User 
Terminal (UT). The UT uses a custom quad-core 
Cortex-A53 System-on-Chip that implements verified 
boot based on the ARM trusted firmware (TF-A) 
project. The early stage TF-A bootloaders, and in 
particular the immutable ROM bootloader include 
custom fault injection countermeasures. Despite the 
black-box nature of our evaluation we were able 

to bypass signature verification during execution of 
the ROM bootloader using voltage fault injection. 


Using a modified second stage bootloader we 
could extract the ROM bootloader and eFuse 
memory. Our analysis demonstrates that the fault 
model used during countermeasure development 
does not hold in practice. Our voltage fault 
injection attack was first performed in a laboratory 
setting and later implemented as a custom printed 
circuit board or ‘modchip’. The presented attack 
results in an unfixable compromise of the Starlink 
UT and allows us to execute arbitrary code. 


Obtaining root access on the Starlink UT is a 
prerequisite to freely explore the Starlink network 
and the underlying communication interfaces. 


This presentation will cover an initial exploration 
of the Starlink network. Other researchers 
should be able to build on our work to 

further explore the Starlink ecosystem. 


DEF CON POLICY DEPT - SPECIAL 


EDITION POLICY TALK 


Friday at 12:30 in Track 2 
45 minutes 


DEF CON Policy Dept 
TBA 
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AVOIDING MEMORY SCANNERS: 
CUSTOMIZING MALWARE TO 
EVADE YARA, PE-SIEVE, AND 


MORE 


Friday at 12:00 in Track 3 
45 minutes 


Kyle Avery 


Tired of encoding strings or recompiling to 
break signatures? Wish you could keep PE-sieve 
from ripping your malware out of memory? 
Interested in learning how to do all of this with 
your existing COTS or private toolsets? 


For years, reverse engineers and endpoint security 
software have used memory scanning to locate 
shellcode and malware implants in Windows 
memory. These tools rely on loCs such as signatures 
and unbacked executable memory. This talk will dive 
into the various methods in which memory scanners 
search for these indicators and demonstrate a 
stable evasion technique for each method. A new 
position-independent reflective DLL loader, Асе[аг, 
will be released alongside the presentation and 
features the demonstrated techniques to evade 

all of the previously described memory scanners. 
The presenter and their colleagues have used 
Aceldr on red team operations against mature 
security programs to avoid detection successfully. 


This talk will focus on the internals of Pe-sieve, 
MalMembDetect, Moneta, Volatility malfind, and 
YARA to understand how they find malware 

in memory and how malware can be modified 
to fly under their radar consistently. 


ONE BOOTLOADER TO LOAD 


THEM ALL 


Friday at 12:00 in Track 4 
45 minutes | Demo, Tool, Exploit 


Mickey Shkatov 


Jesse Michael 


Introduced in 2012, Secure Boot - the OG 
trust in boot - has become a foundational 
rock in modern computing and is used by 
millions of UEFl-enabled computers around the 
world due to its integration in their BIOS. 


The way Secure Boot works is simple and 
effective, by using tightly controlled code signing 
certificates, OEMs like Microsoft, Lenovo, Dell 
and others secure their boot process, blocking 
unsigned code from running during boot. 


But this model puts іі trust іп developers developing 
code without vulnerabilities or backdoors; in this 
presentation we will discuss past and current flaws 
in valid bootloaders, including some which misuse 


built-in features to inadvertently bypass Secure Boot. 


We will also discuss how in some cases malicious 
executables can hide from TPM measurements used 
by BitLocker and remote attestation mechanisms. 


Come join us as we dive deeper and explain 
how it all works, describe the vulnerabilities we 
found and walk you through how to use the 
new exploits and custom tools we created to 
allow for a consistent bypass for secure boot 
effective against every X86-64 UEFI platform. 


EMOJI SHELLCODING: Ў”, 7, 
AND Ў 

Friday at 13:00 in Track 1 

45 minutes | Demo, Tool 


Hadrien Barral 


Georges-Axel Jaloyan 


Shellcodes are short executable stubs that are 
used in various attack scenarios, whenever code 
execution is possible. After quickly recalling what 
a shellcode is and why designing shellcodes 
under constraints is an art, we'll study a new 
constraint for which (to the best of our knowledge) 
no such shellcode was previously known: 

emoji shellcoding. We'll tackle this problem by 
introducing a new and more generic approach to 
shellcoding under constraints. Brace yourselves, 
you'll see some black magic weaponizing these 
cute little emojis — into merciless exploits "7, 


BACKDOORING PICKLES: A 
DECADE ONLY MADE THINGS 


WORSE 


Friday at 13:00 in Track 3 
20 minutes | Demo, Tool 


ColdwaterQ 


Eleven years ago, “Sour Pickles” was presented by 
Marco Slaviero. Python docs already said pickles 
were insecure at that time. But since then, machine 
learning frameworks started saving models in 
pickled formats as well. So, І will show how simple 
it is to add a backdoor into any pickled object using 
machine learning models as an example. As well 

as an example of how to securely save a model to 
prevent malicious code from being injected into it. 


FRIDAY 


YOU’RE MUTED ROOTED x 


Friday at 13:00 in Track 4 
45 minutes | Demo, Tool, Exploit 


Patrick Wardle 


With a recent market cap of over $100 
billion and the genericization of its name, the 
popularity of Zoom is undeniable. But what 
about its security? This imperative question is 
often quite personal, as who amongst us isn't 
jumping on weekly (daily?) Zoom calls? 


In this talk, we'll explore Zoom's macOS 
application to uncover several critical security 
flaws. Flaws, that provided a local unprivileged 
attacker a direct and reliable path to root. 


The first flaw, presents itself subtly in a core 
cryptographic validation routine, while the second 
is due to a nuanced trust issue between Zoom's 
client and its privileged helper component. 


After detailing both root cause analysis and full 
exploitation of these flaws, we'll end the talk by 
showing how such issues could be avoided ...both 
by Zoom, but also in other macOS applications. 


WEAPONIZING WINDOWS 
SYSCALLS AS MODERN, 32-BIT 


Sii | CODE 


Friday at 13:30 in Track 3 
20 minutes | Demo 


Tarek Abdelmotaleb 


Dr. Bramwell Brizendine 


While much knowledge exists on using syscalls 
for red team efforts, information on writing 
original shellcode with syscalls so in modern x86 
is sparse and lacking. Our reverse engineering 
efforts, however, have revealed the necessary 
steps to take to successfully perform syscalls 

in shellcode, both for Windows 7 and 10, 

as there are some significant differences. 


In this talk, we will embark upon a journey that 

will show the process of reverse engineering how 
Windows syscalls work in both Windows 7 and 10, 
while focusing predominately on the latter. With this 
necessary foundation, we will explore the process 
of effectively utilizing syscalls inside shellcode. We 
will explore the special steps that must be taken 

to set up syscalls - steps that may not be required 
to do equivalent actions with WinAPI functions. 


This talk will feature various demonstrations 
of syscalls in x86 shellcode. 
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DEF CON POLICY DEPT - SPECIAL 


EDITION POLICY TALK 


Friday at 13:30 in Track 2 
45 minutes 


DEF CON Policy Dept 
TBA 


SPACE JAM: EXPLORING RADIO 
FREQUENCY ATTACKS IN OUTER 


SPACE 


Friday at 14:00 in Track 1 
45 minutes | Demo, Tool 


James Pavur 
Digital Service Expert, Defense Digital Service 


Satellite designs are myriad as stars in the 

sky, but one common denominator across all 
modern missions is their dependency on long- 
distance radio links. In this briefing, we will turn 

a hacker's eye towards the signals that are the 
lifeblood of space missions. We'll learn how 

both state and non-state actors can, and have, 
executed physical-layer attacks on satellite 
communications systems and what their motivations 
have been for causing such disruption. 


Building on this foundation, we'll present 
modern evolutions of these attack strategies 
which can threaten next-generation space 
missions. From jamming, to spoofing, to signal 
hijacking, we'll see how radio links represent a 
key attack surface for space platforms and how 
technological developments make these attacks 
ever more accessible and affordable. We'll 
simulate strategies attackers may use to cause 
disruption in key space communications links and 
even model attacks which may undermine critical 
safety controls involved in rocket launches. 


The presentation will conclude with a 
discussion of strategies which can defend 
against many of these attacks. 


While this talk includes technical components, 
it is intended to be accessible to all audiences 
and does not assume any prior background 

in radio communications, astrodynamics, 

or aerospace engineering. The hope is to 
provide a launchpad for researchers across the 
security community to contribute to protecting 
critical infrastructure in space and beyond. 


5u 


PROCESS INJECTION: BREAKING 
ALL MACOS SECURITY LAYERS 


WITH A SINGLE VULNERABILITY 


Friday at 14:00 in Track 3 
45 minutes | Exploit 


Thijs Alkemade 


macOS local security is shifting more and more 

to the iOS model, where every application is 
codesigned, sandboxed and needs to ask for 
permission to access sensitive data. New security 
layers have been added to make it harder for 
malware that has gained a foothold to compromise 
the user's most sensitive data. Changing the security 
model of something as large and established as 
macOS is.a long process, as it requires many 
existing parts.of the system to be re-examined. For 
example, creating a security boundary between 
applications running as the same user is a large 
change from the previous security model. 


CVE-2021-30873 is a process injection 
vulnerability we reported to Apple that affected 
all macOS applications. This was addressed іп 
the macOS Monterey update, but completely 
fixing this vulnerability requires changes to all 
third-party applications as well. Apple has even 
changed the template for new applications 

in Xcode to assist developers with this. 


In this talk, we'll explain what a process injection 
vulnerability is and why it can have critical impact 
on macOS. Then, we'll explain the details of this 
vulnerability, including how to exploit insecure 
deserialization in macOS. Finally, we will explain 
how we exploited it to escape the macOS sandbox, 
elevate our privileges to root and bypass SIP. 


PHREAKING 2.0 - ABUSING 
MICROSOFT TEAMS DIRECT 


ROUTING 


Friday at 14:00 in Track 4 
20 minutes | Demo, Exploit 


Moritz Abrell 


Microsoft Teams offers the possibility to integrate 
your own communication infrastructure, e.g. 

your own SIP provider for phone services. This 
requires a Microsoft-certified and -approved 
Session Border Controller. During the security 
analysis of this federation, Moritz Abrell identified 
several vulnerabilities that allow an external, 
unauthenticated attacker to perform toll fraud. 


This talk is a summary of this analysis, the 
identified security issues and the practical 
exploitation as well as the manvfacturer's 
capitulation to the final fix of the vulnerabilities. 


LEAK THE PLANET: VERITATEM 
COGNOSCERE NON PEREAT 


MUNDUS 


Friday at 14:30 in Track 2 
45 minutes 


Emma Best 


Xan North 


As leaks become more prevalent, they come from an 
increasing variety of sources: from data that simply 
isn’t secured, to insiders, to hacktivists, and even 
occassional state-actors (both covert and overt). 
Often treated as a threat, when handled responsibly 
leaks are a necessary part of the ecosystem of a 
healthy and free society and economy. In spite 

of prosecutors’ love of prosecution, the eternal 
fixation with Fear, Uncertainty and Doubt and 
DDoSecrets’ apocalyptic motto, leaks won’t 

destroy the world - they can only save it. 


In this presentation, we'll discuss the necessity 
and evolution of leaks, and how various 
types of leaks and sources can offer different 
sorts of revelations. We'll then explore how 
we can responsibly handle different types 

of leaks even during volatile and politically 
charged situations, as well as past failures. 


We'll also debunk the myth that hacktivism is just 

a cover for state actors by exploring examples of 
entities with state ties and how they were identified, 
as well as how both hacktivists and state actors 
have been misidentified or mishandled in the past. 


Finally, we'll discuss some of the lessons 
activists, newsrooms and governments can 
learn from the last decade, and where 
we should collectively go from here. 


TRACE ME IF YOU CAN: 
BYPASSING LINUX SYSCALL 


TRACING 


Friday at 14:30 in Track 4 
45 minutes | Demo, Tool, Exploit 


Rex Guo 


Junyuan Zeng 


In this talk, we will present novel vulnerabilities and 
exploitation techniques that reliably bypass Linux 
syscall tracing. A user mode program does not need 
any special privileges or capabilities to reliably 
avoid system call tracing detections by exploiting 
these vulnerabilities. The exploits work even when 
seccomp, SELinux, and AppArmor are enforced. 


FRIDAY 


Advanced security monitoring solutions on Linux 
VMs and containers offer system call monitoring 

to effectively detect attack behaviors. Linux 

system calls can be monitored by kernel tracing 
technologies such as tracepoint, kprobe, ptrace, etc. 
These technologies intercept system calls at different 
places in the system call execution. These monitoring 
solutions can be deployed on cloud compute 
instances such as AWS EC2, Fargate, EKS, and the 
corresponding services from other cloud providers. 


We comprehensively analyzed the Time-of-check- 
to-time-of-use (TOCTOU) issues in the Linux kernel 
syscall tracing framework and showed that these 
issues can be reliably exploited to bypass syscall 
tracing. Our exploits manipulate different system 
interactions that can impact the execution time 

of a syscall. We demonstrated that significant 
syscall execution delays can be introduced 

to make TOCTOU bypass reliable even when 
seccomp, SELinux, and AppArmor are enforced. 
Compared to the phantom attacks in DEFCON 
29, the new exploit primitives we use do not 
require precise timing control or synchronization. 


We will demonstrate our bypass for Falco on 

Linux VMs/containers and GKE. We will also 
demonstrate bypass for pdig on AWS Fargate. 

In addition, we will demonstrate exploitation 
techniques for syscall enter and explain the reason 
why certain configurations are difficult to reliably 
exploit. Finally, we will summarize exploitable 
TOCTOU scenarios and discuss potential mitigations 
in various cloud computing environments. 


EXPLORING THE HIDDEN ATTACK 
SURFACE OF OEM IOT DEVICES: 
PWNING THOUSANDS OF 
ROUTERS WITH A VULNERABILITY 


IN REALTEK'S SDK FOR ECOS OS. 


Friday at 15:00 in Track 1 
45 minules 


Octavio Gianatiempo 


Octavio Galland 


In this presentation, we go over the main challenges 
we faced during our analysis of the top selling 
router in a local eCommerce, and how we found a 
zero-click remote unauthenticated RCE vulnerability. 
We will do a walkthrough on how we located the 
root cause of this vulnerability and found that it 
was ingrained in Realtek’s implementation of a 
networking functionality in its SDK for eCos devices. 


We then present the method we used to automate 
the detection of this vulnerability in other firmware 
images. We reflect on the fact that on most routers 
this functionality is not even documented and can’t 
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be disabled via the router’s web interface. We take 


this as an example of the hidden attack surface 
that lurks in OEM internet-connected devices. 


We conclude by discussing why this vulnerability 
hasn't been reported yet, despite being easy 

to spot (having no prior loT experience], 
widespread (affecting multiple devices 

from different vendors), and critical. 


Our research highlights the poor state of firmware 
security, where vulnerable code introduced down 


the supply chain might never get reviewed and end 


up having a great impact, evidencing that security 
is not a priority for the vendors and opening the 
possibility for attackers to find high impact bugs 
with low investment and little prior knowledge. 


LSASS SHTINKERING: ABUSING 
WINDOWS ERROR REPORTING 


TO DUMP LSASS 


Friday at 15:00 in Track 3 
45 minutes | Demo, Tool 


Asaf Gilboa 


This presentation will show a new method of 
dumping LSASS that bypasses current EDR 
defenses without using a vulnerability 


but by abusing a built-in mechanism in the 
Windows environment which is the WER 
(Windows Error Reporting) service. 


WER is a built-in system in Windows designed 
to gather information about software crashes. 


One of its main features is producing a 
memory dump of crashing user-mode 
processes for further analysis. 


We discovered a new attack vector for 
dumping LSASS, dubbed LSASS Shtinkering, 
by manually reporting an exception to WER 
on the LSASS process without crashing it. 


The technique can also be used to dump the 
memory of any process on the system. 


This attack can bypass defenses that wrongfully 
assume that a memory dump generated from 
the WER service is a benign activity. 


In this talk, we'll show a step-by-step approach 

of how we reverse-engineered the WER dumping 
process, the challenges we found along the way, 
as well as how we have managed to solve them. 
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HOW RUSSIA IS TRYING TO 


BLOCK TOR 


Friday at 15:30 in Track 2 
45 minutes | Tool 


Roger Dingledine 


In December 2021, some ISPs in Russia started 
blocking Tor’s website, along with protocol-level 
(DPI) and network-level (IP address) blocking to 
try to make it harder for people in Russia to reach 
the Tor network. Some months later, we're now 

at a steady-state where they are trying to find 
new IP addresses to block and we're rotating IP 
addresses to keep up. In this talk I'll walk through 
what steps the Russian censors have taken, and 
how we reverse engineered their attempts and 
changed our strategies and our software. Then 
we'll discuss where the arms race goes from here, 
what new techniques the anti-censorship world 
needs if we're going to stay ahead of future 
attacks, and what it means for the world that more 
and more countries are turning to network-level 
blocking as the solution to their political problems. 


BROWSER-POWERED DESYNC 
ATTACKS: A NEW FRONTIER IN 


HTTP REQUEST SMUGGLING 


Friday at 15:30 in Track 4 
45 minutes | Demo, Exploit 


James Kettle 


The recent rise of HTTP Request Smuggling has seen 
a flood of critical findings enabling near-complete 
compromise of numerous major websites. However, 
the threat has been confined to attacker-accessible 
systems with a reverse proxy front-end... until now. 


In this session, I'll show you how to turn your 
victim's web browser into a desync delivery 
platform, shifting the request smuggling frontier 
by exposing single-server websites and internal 
networks. You'll learn how to combine cross- 
domain requests with server flaws to poison 
browser connection pools, install backdoors, and 
release desync worms. With these techniques I'll 
compromise targets including Apache, Akamai, 
Varnish, Amazon, and multiple web VPNs. 


While some classic desync gadgets can be 
adapted, other scenarios force extreme 
innovation. То help, l'Il share a battle-tested 
methodology combining browser features and 
custom open-source tooling. We'll also release 
free online labs to help hone your new skillset. 


ІЛІ also share the research journey, uncovering a 
strategy for black-box analysis that solved several 
long-standing desync obstacles and unveiled 


an extremely effective novel desync trigger. 
The resulting fallout will encompass client-side, 
server-side, and even MITM attacks; to wrap 
up, l'Il live-demo breaking HTTPS on Apache. 


HACKING ISPS WITH POINT- 
TO-PWN PROTOCOL OVER 


ETHERNET (PPPOE) 


Friday at 16:00 in Track 1 
45 minutes | Demo 


Gal Zror 


Hello, my name is BWL-X8620, and I’m a SOHO 
router. For many years my fellow SOHO routers 
and | were victims of endless abuse by hackers. 
Default credentials, command injections, file 
uploading - you name it. And it is all just because 
we're WAN-facing devices. Just because our 

ISP leaves our web server internet-facing makes 
hackers think it’s okay to attack and make 

us zombies. But today, | say NO MORE! 


In this talk, | will show that if a web client 
can attack a web server, then an ISP 
client can attack the ISP servers! 


| will reveal a hidden attack surface and 
vulnerabilities in popular network equipment used Бу 
ISPs worldwide to connect end-users to the internet. 


BRAS devices are not that different from us SOHO 
routers. No one is infallible. But, BRAS devices 

can support up to 256,000 subscribers, and 
exploiting them can cause a ruckus. Code executing 
can lead to a total ISP compromise, mass client 
DNS poisoning, end-points RCE, and more! 


This talk will present a high severity logical 
DOS vulnerability in a telecommunications 
vendor implementation of PPPoE and a critical 
RCE vulnerability in PPP. That means we, the 
SOHO routers, can attack and execute code 
on the ISP’s that connect us to the internet! 


Today we are fighting back! 


WIRELESS KEYSTROKE 
INJECTION (УҮКІ) VIA 


BLUETOOTH LOW ENERGY (BLE) 


Friday at 16:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Jose Pico 


Fernando Perera 


We present a Microsoft Windows vulnerability 
that allows a remote attacker to impersonate 
a Bluetooth Low Energy (BLE) keyboard and 


FRIDAY 


perform Wireless Key Injection (WKI) on its 
behalf. It can occur after a legitimate BLE 
keyboard automatically closes its connection 
because of inactivity. In that situation, an attacker 
can impersonate it and wirelessly send keys. 


In this talk we will demonstrate the attack 
live and we will explain the theoretical 

basis behind it and the process that led us 
to discover the vulnerability. We will also 
release the tool that allows to reproduce the 
attack and we will detail how to use it." 


DEF CON POLICY DEPT - SPECIAL 


EDITION POLICY TALK 


Friday at 16:30 in Track 2 
45 minutes 


DEF CON Policy Dept 
TBA 


A DEAD MAN'S FULL-YET- 
RESPONSIBLE-DISCLOSURE 


SYSTEM 


Friday at 16:30 in Track 4 
45 minutes | Demo, Tool 


Yolan Romailler 


Do you ever worry about responsible disclosure 
because they could instead exploit the time- 
to-patch to find you and remove you from the 
equation? Dead man switches exist for a reason... 


In this talk we present a new form of vulnerability 
disclosure relying on timelock encryption of 
content: where you encrypt a message that 
cannot be decrypted until a given (future) time. 
This notion of timelock encryption first surfaced 
on the Cypherpunks mailing list in 1993 by the 
crypto-anarchist founder, Tim May, and to date 
while there have been numerous attempts to 
tackle it, none have been deployed at scale, nor 
made available to be used in any useful way. 


This changes today: we're releasing a free, 
open-source tool that achieves this goal with 
proper security guarantees. We rely on threshold 
cryptography and decentralization of trust to 
exploit the existing League of Entropy (that is 
running a distributed, public, verifiable randomness 
beacon network) in order to do so. We will first 
cover what all of these means, we will then see 
how these building blocks allow us to deploy a 
responsible disclosure system that guarantees that 
your report will be fully disclosed after the time- 
to-patch has elapsed. This system works without 
any further input from you, unlike the usual Twitter 
SHA256 commitments to a file on your computer. 
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HUNTING BUGS IN THE TROPICS 


Friday at 17:00 in Track 1 
45 minutes | Exploit 


Daniel Jensen 


Aruba Networks makes networking 
products for the enterprise. | make 
enterprise products run arbitrary code. 


Over the past couple of years, I’ve been hunting 
for vulnerabilities in some of Aruba's on-premise 
networking products and have had a bountiful 
harvest. A curated (read: patched) selection of 
these will be presented for your enjoyment. Pre- 
auth vulnerabilities and interesting bug chains 
abound, as well as a few unexpected attack 
surfaces and a frequently overlooked bug class. 


This talk will explore some of the vulnerabilities 
I’ve found in various products in the Aruba range, 
and include details of their exploitation. I'll 
elaborate on how І found these bugs, detailing 
my workflow for breaking open virtual appliances 
and searching for vulnerabilities in them. 


LET'S DANCE IN THE CACHE - 
DESTABILIZING HASH TABLE ON 


MICROSOFT IIS 


Friday at 17:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Orange Tsai 


Hash Table, as the most fundamental Data Structure 
in Computer Science, is extensively applied in 
Software Architecture to store data in an associative 
manner. However, its architecture makes it prone 

to Collision Attacks. To deal with this problem, 25 
years ago, Microsoft designed its own Dynamic 
Hashing algorithm and applied it everywhere in IIS, 
the Web Server from Microsoft, to serve various 
data from HTTP Stack. As Hash Table is everywhere, 
isn't the design from Microsoft worth scrutinizing? 


We dive into IIS internals through months of Reverse- 
Engineering efforts to examine both the Hash 

Table implementation and the use of Hash Table 
algorithms. Several types of attacks are proposed 
and uncovered in our research, including (1) A 
specially designed Zero-Hash Flooding Attack 
against Microsoft's self-implemented algorithm. 

(2) A Cache Poisoning Attack based on the 
inconsistency between Hash-Keys. (3) An unusual 
Authentication Bypass based on a hash collision. 


By understanding this talk, the audience won't be 
surprised why we can destabilize the Hash Table 
easily. The audience will also learn how we explore 
the IIS internals and will be surprised by ovr results. 
These results could not only make a default installed 
IIS Server hang with 100% CPU but also modify 
arbitrary HTTP responses through crafted HTTP 
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request. Moreover, we'll demonstrate how we 
bypass the authentication requirement with a single, 
crafted password by colliding the identity cache! 


DEANONYMIZATION OF TOR 


HTTP HIDDEN SERVICES 


Friday at 17:30 іп Track 4 
20 minutes | Demo, Exploit 


lonut Cernica 


Anonymity networks such as Tor are used 

to protect the identity of people or services. 
Several deanonymization techniques have been 
described over time. Some of them attacked the 
protocol, others exploited various configuration 
issues. Through this presentation | will focus on 
deanonymization techniques of the http services of 
such networks Бу exploiting configuration issues. 


In the first part of the presentation, | will 
present deanonymization techniques on TOR 
which are public, and І will also present the 
techniques developed Бу me and the interesting 
story of how | came to develop them. 


In the last part of my presentation, | will do a demo 
with the exploitation of http hidden services in TOR 
and | will present each technique separately. | will 
also present how one of the techniques can be used 
successfully not only in the TOR network, but also 
on the internet in order to obtain information about 
the server that will help you discover other services. 


DEF CON POLICY DEPT = SPECIAL 


EDITION POLICY TALK 


Friday at 17:30 in Track 2 
45 minutes 


DEF CON Policy Dept 
TBA 


KILLER HERTZ 


Friday at 18:00 in Track 1 
45 minutes | Demo, Tool, Exploit 


Chris Rock 


Governments and the private sector around the 
world spend billions of dollars on Electronic 
Counter Measures (ECMs) which include 
jamming technologies. These jammers are 

used by police departments to disrupt criminal 
communication operations as well as in prisons 
to disrupt prisoners using smuggled in cell 
phones. The military use jammers to disrupt 
radar communications, prevent remote IEDs from 
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triggering and radio communications. The private 
sector use jammers to disrupt espionage in the 
board room and to protect VIPS from RC-IEDs. 


What if there was a way of communicating 

that was immune to jammers without knowing 
the point of origin. A way of communicating at 
short to medium distances, an Electronic Counter 
Countermeasure ECCM to the jammer. 


Using a custom-built Tx/Rx, | will use the 

earth’s crust to generate a H-field Near Field 
Communication (NFC) channel spanning 1-11km 
away in the sub 9 kHz range to communicate 
encrypted messages in a jammed environment. 


DRAGON TAILS: SUPPLY-SIDE 
SECURITY AND INTERNATIONAL 
VULNERABILITY DISCLOSURE 


LAW 


Friday at 18:30 in Track 2 
20 minutes 


Stewart Scott 


Trey Herr 


This talk will present a study of the reliance 

of proprietary and open source software on 
Chinese vulnerability research. A difficult political 
environment for Chinese security researchers 
became acute when a law requiring vulnerability 
disclosure to government and banning it to all 


PULLING PASSWORDS OUT OF 
CONFIGURATION MANAGER: 
PRACTICAL ATTACKS AGAINST 
MICROSOFT’S ENDPOINT 


MANAGEMENT SOFTWARE 


Friday at 18:00 in Track 3 
45 minutes | Demo, Tool 


Christopher Panayi 


System Center Configuration Manager, now 
Microsoft Endpoint Configuration Manager 
(MECM), is a software management product 
that has been widely adopted by large 
organizations to deploy, update, and manage 
software; itis commonly responsible for 

the deployment and management of the 
majority of server and workstation machines 
in enterprise Windows environments. 


This talk will provide an outline of how MECM 

is used to deploy machines into enterprise 
environments (typically through network booting, 
although it supports various Operating System 
deployment techniques), and will explore attacks 
that allow Active Directory credentials to be 
extracted from this process. The common MECM 
misconfigurations leading to these attacks will be 
detailed and, in so doing, the talk will aim to show 
how to identify and exploit these misconfigurations 
and how to defend against these attacks. Each 
viable attack will be discussed in depth (mostly by 


discussing the protocols and architecture in use, but 
sometimes by diving into relevant code, if necessary) 
so that the context of how and why the attack works 
will be understood. These concepts will be illustrated 
through the demo and release of a tool that allows 
for the extraction of credentials from several of the 
onsite deployment techniques that MECM supports. 


others but the affected vendor took effect in Sept. 
2021. No public evaluation of this law’s impact 
has yet been made. This talk will present results of 
a quantitative analysis on the changing proportion 
of Chinese-based disclosures to major software 
products from Google, Microsoft, Apple, and 
VMWare alongside several major open source 
packages. The analysis will measure change over 
time in response to evolving Chinese legislation, 
significant divergence from data on the allocation 
of bug bounty rewards, and notable trends in 

the kinds of disclosed vulnerabilities. The Chinese 
research community’s prowess is well known, 
from exploits at the Tianfu Cup to preeminent 


TEAR DOWN THIS ZYWALL: 
BREAKING OPEN ZYXEL 


ENCRYPTED FIRMWARE 
Friday at 18:00 in Track 4 


enterprise labs like Qihoo 360. However, the 45 minutes 
recent law aiming to give the Chinese government : 
early access to the community's discoveries—and Jay Lagorio 


the government's apparent willingness to enforce 
it even on high-profile corporations as seen in its 
punishment of Alibaba—demand more thorough 
scrutiny. This talk will address implications for 
policy and the wider hacker community. 


How do you go bug hunting in devices you own 
when the manvfacturer has slapped some pesky 
encryption scheme on the firmware? Starting from 
an encrypted blob of bits and getting to executable 
code is hard and can be even more frustrating 
when you already know the bug is there, you 

just want to see it! Join me on my expedition to 
access the contents of my Zyxel firewall's firmware 
using password and hash cracking, hardware and 
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softwore reverse engineering, and duct taping 
puzzle pieces together. We'll start with a device 
and a firmware blob, flail helplessly at the crypto, 
tear apart the hardware, reverse engineer the 
software and emulate the platform, and finally 
identify the decryption routine - ultimately breaking 
the protection used by the entire product line to 
decrypt whatever firmware version we want. 


BRAZIL REDUX: SHORT 
CIRCUITING TECH-ENABLED 
DYSTOPIA WITH THE RIGHT TO 


REPAIR 


Saturday at 10:00 іп Track 1 
75 minutes 


Paul Roberts 

Joe Grand 
Corynne McSherry 
Louis Rossmann 


Kyle Wiens 


Terry Gilliam’s 1985 cult film Brazil posits a 
polluted, hyper-consumerist and totalitarian 
dystopia in which a renegade heating engineer, 
Archibald Tuttle, takes great risks to conduct repairs 
outside of the stifling and inefficient bureaucracy of 
"Central Services.” When Tuttle's rogue repairs are 
detected, Central Services workers demolish and 
seize repaired systems under the pretext of “fixing” 
them. It’s dark. It’s also not so far off from our 
present reality in which device makers use always-on 
Internet connections, DRM and expansive copyright 
and IP claims to sustain "Central Services"-like 
monopolies on the service and repair of appliances, 
agricultural and medical equipment, personal 
electronics and more. The net effect of this is a 

less- not more secure ecosystem of connected things 
that burdens consumers, businesses and the planet. 
Our panel of repair and cybersecurity experts will 
delve into how OEMs’ anti-repair arguments trumpet 
cybersecurity risks, while strangling independent 
repair and dissembling about the abysmal state of 
embedded device security. We'll also examine how 
the emergent "right to repair" movement aims to 
dismantle this emerging "Brazil" style dystopia and 
lay the foundation for a "circular" economy that 
reduces waste while also ensuring better security 
and privacy protections for technology users. 


LITERAL SELF-PWNING: 
WHY PATIENTS - AND THEIR 
ADVOCATES - SHOULD BE 
ENCOURAGED TO HACK, 


IMPROVE, AND MOD MED TECH 


Saturday at 10:00 in Track 4 
45 minutes 


Cory Doctorow 


Christian "quaddi" Dameff MD 


Jeff "r3plicant" Tully MD 


What do Apple, John Deere and Wahl Shavers 
have in common with med-tech companies? They 
all insist that if you were able to mod their 


stuff, you would kill yourself and/or someone 
else... and they've all demonstrated, time and 
again, that they are unfit to have the final 


say over how the tools you depend on should 
work. As right to repair and other interoperability 
movements gain prominence, med-tech wants 

us to think that it's too life-or-death for 


modding. We think that med-tech is too life-or- 
death NOT to to be open, accountable and 


configurable by the people who depend on 
it. Hear two hacker doctors and a tech activist 
talk about who's on the right side of history 


and how the people on the wrong side of 
history are trying to turn you into a walking 
inkjet printer, locked into an app store. 


SCALING THE SECURITY 
RESEARCHER TO ELIMINATE OSS 
VULNERABILITIES ONCE AND 


FOR ALL 


Saturday at 10:00 in Track 3 
45 minutes | Demo 


Jonathan Leitschuh 


Hundreds of thousands of human hours are invested 
every year in finding common security vulnerabilities 
with relatively simple fixes. These vulnerabilities 
aren't sexy, cool, or new, we've known about 

them for years, but they're everywhere! 


The scale of GitHub & tools like CodeQL (GitHub’s 
code query language) enable one to scan for 
vulnerabilities across hundreds of thousands of 
OSS projects, but the challenge is how to scale the 
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triaging, reporting, and fixing. Simply automating 
the creation of thousands of bug reports by itself 
isn’t useful, & would be even more of a burden 
on volunteer maintainers of OSS projects. Ideally 
the maintainers would be provided with not only 
information about the vulnerability, but also a fix 
in the form of an easily actionable pull request. 


When facing a problem of this scale, what is 

the most efficient way to leverage researcher 
knowledge to fix the most vulnerabilities across 
OSS? This talk will cover a highly scalable solution 
- automated bulk pull request generation. We'll 
discuss the practical applications of this technique 
on real world OSS projects. We'll also cover 
technologies like CodeQL & OpenRewrite (a style- 
preserving refactoring tool created at Netflix & now 
developed by Moderne). Let’s not just talk about 
vulnerabilities, let’s actually fix them at scale. 


HOW TO GET MUMPS THIRTY 
YEARS LATER (OR, HACKING 
THE GOVERNMENT VIA FOIA’D 


CODE) 


Saturday at 11:00 in Track 4 
45 minutes | Demo, Exploit 


Zachary Minneker 


In the 60s, engineers working in a lab at 
Massachusettes General Hospital in Boston 
invented a programming environment for use in 
medical contexts. This is before C, before the 
Unix epoch, before the concept of an electronic 
medical records system even existed. But if you 
have medical records in the US, or if you’ve 
banked in the US, its likely that this language 
has touched your data. Since the 1960s, this 
language has been used in everything from 
EMRs to core banking to general database 
needs, and even is contained in apt to this day. 


This is the Massachusettes General Hospital Utility 
Multi-Programming System. This is MUMPS. 


This talk covers new research into common open- 
source MUMPS implementations, starting with an 
application that relies on MUMPS: the Department 
of Veterans Affairs" VistÀ EMR. We'll cover a 
short history of VistA before diving into its guts and 
examining MUMPS, the language that VistA was 
written in. Then we'll talk about 30 memory bugs 
discovered while fuzzing open source MUMPS 
implementations before returning to VistA to 

cover critical vulnerabilities found in credential 
handling and login mechanisms. We'll close by 
taking a step back and asking questions about 
how we even got here in the first place, the right 
moves we made, and what we can do better. 
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MY FIRST HACK WAS IN 
1958 (THEN A CAREER IN 
ROCK'N'ROLL TAUGHT ME 


ABOUT SECURITY) 


Saturday at 11:00 in Track 2 
45 minutes 


Winn Schwartau 


My first hack was in 1958, and it was all my 
mother's fault. Or perhaps | should also blame 
my father. They were both engineers and | got 
their DNA. As a kid | hacked phones... cuz, 
well, phones were expensive! (Cardboard was 
an important hacking tool.) At age 6 | made а 
decent living cuz l could fix tube TVs. True! 


In roughly 1970 (thanks to NYU) we moved 
on to hacking Hollerith (punch) cards 

to avoid paying for telephone and our 
utilities, and of course, shenanigans. 


As a recording studio designer and builder, we 
dumpster dived for technology from AT&T. We 
never threw anything out and learned how to 
repurpose and abuse tech from the 19405. 


As a rock'n'roll engineer, | learned to live with 
constant systems epic failures. Anything that 
could break would break: before a live ТУ 
event or a massive concert. Talk about lessons 
in Disaster Recovery and Incident Response. 


This talk, chock full of pictures and stories 
from the past, covers my hacking path as a 
kid then as a necessary part of survival in 
the entertainment industry. 1958-1981. 


Come on down for the ride and see how 64 
years of lessons learned can give you an entirely 
different view of Hacking and how and why ! 
have embraced failure for both of my careers! 


NO-CODE MALWARE: 


WINDOWS 11 AT YOUR SERVICE 


Saturday at 11:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Michael Bargury 


Windows 11 ships with a nifty feature called 
Power Automate, which lets users automate 
mundane processes. In a nutshell, Users can build 
custom processes and hand them to Microsoft, 
which in turn ensures they are distributed to 

all user machines or Office cloud, executed 
successfully and reports back to the cloud. You 
can probably already see where this is going.. 


In this presentation, we will show how Power 
Automate сап be repurposed to power malware 
operations. We will demonstrate the full cycle of 
distributing payloads, bypassing perimeter controls, 
executing them on victim machines and exfiltrating 
data. All while using nothing but Windows baked-in 
and signed executables, and Office cloud services. 


We will then take you behind the scenes and 
explore how this service works, what attack 
surface it exposes on the machine and in the 
cloud, and how it is enabled by-default and can 
be used without explicit user consent. We will 
also point out a few promising future research 
directions for the community to pursue. 


Finally, we will share an open-source command 
line tool to easily accomplish all of the above, 
so you will be able to add it into your Red 
Team arsenal and try out your own ideas. 


REVERSING THE ORIGINAL XBOX 


LIVE PROTOCOLS 


Saturday at 11:30 in Track 1 
45 minutes | Demo, Tool 


Tristan Miller 


Xbox Live for original Xbox systems launched 

on November 15, 2002 and was subsequently 
discontinued on April 15, 2010. The first half of 
this talk will be an infromation dense overview of 
the gritty details of how the underlying protocols 
work and intermixing a retrospective of two 
decades of how the industry has approached 
ІОТ and network security. The second half of the 
talk will use that base to discuss the architecture 
of drop in replacement server infrastructure, 

how the speaker approaches the ethics of third 
party support for non-updatable abandoned 
networked devices, and culminating in a demo. 


ALL ROADS LEADS TO GKE'S 


HOST : 4+ WAYS TO ESCAPE 


Saturday at 12:00 in Track 3 
45 minutes | Demo, Exploit 


Billy Jheng 


Muhammad ALifa Ramdhan 


Container security is a prevalent topic in security 
research. Due to the great design and long- 
term effort, containers have been more and 
more secure. Usage of container technology is 
increasingly being used. Container security is a 
topic that has started to be discussed a lot lately. 


SATURDAY 


In late 2021, Google increased the vulnerability 
reward program in kCTF infrastructure, which 
was built on top of Kubernetes and Google 
Container Optimized OS, with a minimum 
reward of $31,337 per submission. 


In this talk, we will share about how we 
managed to have 4 successful submissions on 
kCTF VRP by exploiting four Linux kernel bugs 
to perform container escape on kCTF cluster, 
we will explain some interesting kernel exploit 
techniques and tricks that can be used to bypass 
the latest security mitigation in Linux kernel. 

We will also share what we did wrong that 
causes us to nearly lose 1 of the bounty. 


As of writing, there are 14 successful entries to 
kCTF. In this presentation, we are willing to share 
our full, in-depth details on the research of kCTF. 


To the best of our knowledge, this presentation 
will be the first to talk about a complete 
methodology to pwn kCTF (find and exploit 
bugs within O-day and 1-day) in public. 


THE EVIL PLC ATTACK: 


WEAPONIZING PLCS 


Saturday at 12:00 in Track 4 
20 minutes | Demo, Tool, Exploit 


Sharon Brizinov 


These days, Programmable Logic Controllers 
(PLC) in an industrial network are a critical attack 
target, with more exploits being identified every 
day. But what if the PLC wasn't the prey, but 

the predator? This presentation demonstrates a 
novel TTP called the "Evil PLC Attack", where 

a PLC is weaponized in a way that when an 
engineer is trying to configure or troubleshoot 

it, the engineer's machine gets compromised. 


We will describe how engineers diagnose PLC 
issues, write code, and transfer bytecode to PLCs 
for execution with industrial processes in any 
number of critical sectors, including electric, water 
and wastewater, heavy industry, and automotive 
manufacturing. Then we will describe how we 
conceptualized, developed, and implemented 
different techniques to weaponize a PLC in order to 
achieve code execution on an engineer's machine. 


The research resulted in working PoCs 
against ICS market leaders which fixed all 
the reported vulnerabilities and remediated 
the attack vector. Such vendors include 
Rockwell Automation, Schneider Electric, 
GE, B&R, Xinje, OVARRO and more. 
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- BIO Tries to keep his head low. BIO Doing my best to make ВІО Likes reversing and developing 
i Takes things apart and the Internet better and malware. Blue team to red 
can sometimes put them keep people out of trouble. team convert. Pursues making Solver. Chicken Soup 

back together. free content for the community. repairwoman. SecurityTribe. 


Shaggy ` 


BIO lama terrible alibi. BIO  400lb hacker with a BIO  ! have only done this BIO Master of Sleights. 
197 IQ and about 15% once before — 


of your password. RESULTS NOT GUARANTEED. 


BIO Your friendly neighborhood BIO Wifi hacker. Red team guy. BIO Iwas told that | could listen BIO Weapon of amalgamated 
Con-Artist. Random lulz generator. to the radio at a reasonable trade craft. 
volume from nine to eleven. 


BIO web/browser hacker, ВІО Can be found drinking all BIO International Man BIO You? Maybe next year. 
occasionally DJ Azuki. the wines, hacking all of Mystery. 
the things, and generally 
being extra. 


AKA The Hoff, Dr. Weird 
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TRACKING MILITARY GHOST 
HELICOPTERS OVER OUR 


NATION’S CAPITAL 


Saturday at 12:00 in Track 2 
20 minutes 


Andrew Logan 


There’s a running joke around Washington D.C. 
that the “State Bird” is the helicopter. Yet 96% of 
helicopter noise complaints from 2018-2021 went 
unattributed: D.C. Residents can not tell a news 
helicopter from a black hawk. Flight tracking sites 
remove flights as a paid service to aircraft owners 
and government agencies; even in the best case 
these sites do not receive tracking information from 
most military helicopters due to a Code of Federal 
Regulations exemption for “sensitive government 
mission for national defense, homeland security, 
intelligence or law enforcement.” This makes an 
enormous amount of helicopter flights untraceable 
even for the FAA and leaves residents in the dark. 


What if we could help residents identify 
helicopters? What if we could crowd source 
helicopter tracking? What if we could collect 
images to identify helicopters using computer 
vision? What if we could make aircraft radio as 
accessible as reading a map? What if we could 
make spotting helicopters a game that appeals 
to the competitive spirit of Washingtonians? And 
what if we could do all of this... on Twitter? 


ANALYZING PIPEDREAM: 
CHALLENGES IN TESTING AN 


ICS ATTACK TOOLKIT. 


Saturday at 12:30 in Track 4 
45 minutes | Demo 


Jimmy Wylie 


Identified early in 2022, PIPEDREAM is the 
seventh-known ICS-specific malware and the fifth 
malware specifically developed to disrupt industrial 
processes. PIPEDREAM demonstrates significant 
adversary research and development focused 
on the disruption, degradation, and potentially, 
the destruction of industrial environments and 
physical processes. PIPEDREAM can impact 

a wide variety of PLCs including Omron and 
Schneider Electric controllers. PIPEDREAM 

can also execute attacks that take advantage 

of ubiquitous industrial protocols, including 
CODESYS, Modbus, FINS, and OPC-UA. 


This presentation will summarize the malware, 
and detail the difficulties encountered during the 
reverse engineering and analysis of the malware 
to include acquiring equipment and setting up our 
lab. This talk will also release the latest results 


65 


from Drago's lab including an assessment of the 
breadth of impact of PIPEDREAM's CODESYS 
modules on equipment beyond Schneider 
Electric's PLCs, testing Omron servo manipulation, 
as well as OPC-UA server manipulation. 


While a background in ICS is helpful to 
understand this talk, it is not required. The 
audience will learn about what challenges 
they can expect to encounter when testing 
ICS malware and how to overcome them. 


THE HITCHHACKER'S GUIDE TO 
IPHONE LIGHTNING & JTAG 


HACKING 


Saturday at 12:30 in Track 1 
20 minutes | Demo, Tool 


stacksmashing 


Apple's Lightning connector was introduced almost 
10 years ago - and under the hood it can be used 
for much more than just charging an iPhone: Using 
a proprietary protocol it can also be configured 

to give access to a serial-console and even expose 
the JTAG pins of the application processor! So 

far these hidden debugging features have not 
been very accessible, and could only be accessed 
using expensive and difficult to acquire "Kanzi" 
and "Bonobo" cables. In this talk we introduce 

the cheap and open-source "Tamarin Cable", 
bringing Lightning exploration to the masses! 


In this talk we are diving deep into 
the weeds of Apple Lightning: 


What's "Tristar", "Hydra" and "HiFive"? What's 
SDQ and IDBUS? And how does it all fit together? 


We show how you can analyze Lightning 
communications, what different types of cables (such 
as DCSD, Kanzi & co) communicate with the iPhone, 
and how everything works on the hardware level. 


We then show how we developed the "Tamarin 
Cable": An open-source, super cheap (^ $5 
and a sacrificed cable) Lightning explorer 

that supports sending custom IDBUS & SDQ 
commands, can access the iPhone's serial- 
console, and even provides a full JTAG/ 

SWD probe able to debug iPhones. 


We also show how we fuzzed Lightning to 
uncover new commands, and reverse engineer 
some Lightning details hidden in iOS itself. 


UFOS, ALIEN LIFE, AND THE 
LEAST UNTRUTHFUL THINGS | 


CAN SAY. 


Saturday at 12:30 in Track 2 
45 minutes 


Richard Thieme 


| have explored the subject of UFOs seriously and 
in depth and detail for 44 years. | have worked 
with some of the best and brightest in the “invisible 
college” to do academic research and reach 
conclusions based on the evidence. | contributed to 
the celebrated history, “UFOs and Government: A 
Historical Inquiry,” the gold standard for historical 
research into the subject now in over 100 university 
libraries. This talk more than updates the latest 
government statements on the subject-it is the most 
complete, honest, and forthright presentation | 

can make. | will tell the most truth | can, based 

on data and evidence. As an NSA analyst told 

me, “Richard, they are here. They're here.” 


CHROMEBOOK BREAKOUT: 
ESCAPING JAIL, WITH YOUR 


FRIENDS, USING A PICO DUCKY 


Saturday at 13:00 in Track 1 
45 minutes | Demo 


Jimi Allee 


Learn how we used our Pico Ducky to escape 
Chromebook jail, rescue our friends along the way, 
and have some fun Living Off the Land! Leveraging 
a discovered (but previously disclosed) Command 
Injection vulnerability in the ChromeOS crosh shell, 
we rabbithole into the internal ChromeOS Linux 
system, obtain persistence across reboots, and 
exfiltrate user data even before Developer Mode 
has been enabled. Learn how to provision and 
utilize local services in order to perform Privilege 
Escalations, and also create a ‘Master Key’ with 
the Pico Ducky and custom GTFO 1-іпегѕ, in 

order to perform a full Chromebook Breakout! 


SATURDAY 


EXPLORING ANCIENT RUINS 
TO FIND MODERN BUGS: 
DISCOVERING A 0-DAY IN AN 


MS-RPC SERVICE 


Saturday at 13:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Ben Barnea 


MS-RPC is Microsoft's implementation of the Remote 
Procedure Calls protocol. Even though the protocol 
is extremely widespread, and serves as the basis 
for nearly all Windows services on both managed 
and unmanaged networks, little has been published 
about MS-RPC, its attack surface and design flaws. 


In this talk, we will walkthrough and demonstrate 
a 0-4ау RCE vulnerability which we discovered 
through our research of MS-RPC. When exploited, 
this vulnerability allows an attacker to execute 
code remotely and potentially take over the 
Domain Controller. We believe this vulnerability 
may belong to a somewhat novel bug-class 

which is unique to RPC server implementations, 
and would like to share this idea as a possible 
research direction with the audience. 


To aid future research into the topic of MS-RPC, we 
will share a deep, technical overview of the RPC 
system in Windows, explain why we decided to 
target it, and point out several design flaws. We 
will also outline the methodology we developed 
around RPC as a research target along with some 
tools we built to facilitate the bug-hunting process. 


EXPLORING ANCIENT RUINS 
TO FIND MODERN BUGS: 
DISCOVERING A 0-DAY IN AN 


MS-RPC SERVICE 


Saturday at 13:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Ophir Harpaz 


MS-RPC is Microsoft's implementation of the Remote 
Procedure Calls protocol. Even though the protocol 
is extremely widespread, and serves as the basis 
for nearly all Windows services on both managed 
and unmanaged networks, little has been published 
about MS-RPC, its attack surface and design flaws. 


In this talk, we will walkthrough and demonstrate 
а 0-day RCE vulnerability which we discovered 
through our research of MS-RPC. When exploited, 
this vulnerability allows an attacker to execute 
code remotely and potentially take over the 
Domain Controller. We believe this vulnerability 
may belong to a somewhat novel bug-class 
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which is unique to RPC server implementations, 
and would like to share this idea as a possible 
research direction with the audience. 


To aid future research into the topic of MS-RPC, we 
will share a deep, technical overview of the RPC 
system in Windows, explain why we decided to 
target it, and point out several design flaws. We 
will also outline the methodology we developed 
around RPC as a research target along with some 
tools we built to facilitate the bug-hunting process. 


DO NOT TRUST THE ASA, 


TROJANS! 


Saturday at 13:30 in Track 4 
45 minutes | Tool, Exploit 


Jacob Baines 


Cisco ASA and ASA-X are widely deployed 
firewalls that are relied upon to protect internal 
networks from the dangers of the outside world. 
This key piece of network infrastructure is an 
obvious point of attack, and a known target 
for exploitation and implantation by APT such 
as the Equation Group. Yet it’s been а number 
of years since a new vulnerability has been 
published that can provide privileged access 
to the ASA or the protected internal network. 
But all good things must come to an end. 


In this talk, new vulnerabilities affecting the Cisco 
ASA will be presented. We'll exploit the firewall, 
the system’s administrators, and the ASA-X 
FirePOWER module. The result of which should 
call into question the firewall’s trustworthiness. 


The talk will focus on the practical exploitation of 
the ASA using these new vulnerabilities. To that 

end, new tooling and Metasploit modules will be 
presented. For IT protectors, mitigation and potential 
indicators of compromise will also be explored. 
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HACK THE HEMISPHERE! HOW 
WE (LEGALLY) BROADCASTED 
HACKER CONTENT TO ALL OF 
NORTH AMERICA USING AN 
END-OF-LIFE GEOSTATIONARY 
SATELLITE, AND HOW YOU CAN 
SET UP YOUR OWN BROADCAST 


TOO! 


Saturday at 13:30 in Track 2 
45 minutes | Demo 


Karl Koscher 


Andrew Green 


The Shadytel cabal had an unprecedented 
opportunity to legally uplink to and use a vacant 
transponder slot on a geostationary satellite 
about Юю Бе decommissioned. This talk will 
explain how we modified an unused commercial 
uplink facility to broadcast modern HD DVB-S2 
signals and created the media processing chain 
to generate the ultimate information broadcast. 
You'll learn how satellite transponders work, how 
HDTV is encoded and transmitted, and how you 
can create your own hacker event broadcast. 


OPENCOLA. THE ANTISOCIAL 


NETWORK 


Saturday at 14:00 in Track 1 
45 minutes | Demo, Tool 


John Midgley 


Oxblood Ruffin 


The internet, as it stands today, is not a very 
trustworthy environment, as evidenced by the 
numerous headlines of companies abusing personal 
data and activity. This is not really surprising since 
companies are responsible for optimizing revenue, 
which is often at odds with user benefit. The result 
of these incentives has produced or exacerbated 
significant problems: tech silos, misinformation, 
privacy abuse, concentration of wealth, the 
attention economy, etc. We built OpenCola, free 
and open source, as an alternative to existing 
big-tech applications. It puts users in control of 
their personal activity and the algorithms that 
shape the flow of data to them. We believe that 
this solution, although simple, can significantly 
mitigate the challenges facing the Internet. 


THE COW (CONTAINER ОМ 
WINDOWS) УУНО ESCAPED THE 


SILO 


Saturday at 14:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Eran Segal 


Virtualization and containers are the 
foundations of cloud services. Containers 
should be isolated from the real host’s 
settings to ensure the security of the host. 


In this talk we'll answer these questions: 
“Are Windows process-isolated containers 
really isolated?” and “What can an attacker 
achieve by breaking the isolation?” 


Before we jump into the vulnerabilities, we'll explain 
how Windows isolates the container's processes, 
filesystem and how the host prevents the container 
from executing syscalls which can impact the host. 


Specifically, we'll focus on the isolation 
implementation of Ntoskrnl using 
server silos and job objects. 


We'll compare Windows containers to Linux 
containers and describe the differences 
between their security architectural designs. 


We'll follow the scenario of an attacker-crafted 
container running with low privileges. We'll show 
in multiple ways how to gain privilege escalation 
inside the container to NT/System. After gaining 
NT/System permissions, we'll talk about how 

we escaped the isolation of the container and 
easily achieved a dump of the entire host's 
kernel memory from within the container. If the 
host is configured with a kernel debugger, we 
can even dump the host's Admin credentials. 


We'll finish by demonstrating how an attacker- 
crafted container with low privileges can read UEFI 
settings and then set them. Using this technique an 
attacker can communicate between containers and 
cause a permanent Denial-of-Service (DoS) to a host 
with default settings, through the UEFI interface. 


DIGGING INTO XIAOMI'S TEE TO 


GET TO CHINESE MONEY 


Saturday at 14:30 in Track 2 
20 minutes | Demo, Exploit 


Slava Makkaveev 


The Far East and China account for two-thirds of 
global mobile payments in 2021. That is about $4 
billion in mobile wallet transactions. Such a huge 
amount of money is sure to attract the attention of 
hackers. Have you ever wondered how safe it is 
to pay from a mobile device? Can a malicious app 


SATURDAY 


steal money from your digital wallet? To answer | 
these questions, we researched the payment system 
built into Xiaomi smartphones based on MediaTek 
chips, which are very popular in China. As a result, 
we discovered vulnerabilities that allow forging 
payment packages or disabling the payment system 
directly from an unprivileged Android application. 


Mobile payment signatures are carried out in the 
Trusted Execution Environment (TEE) that remains 
secure on compromised devices. The attacker needs 
to hack the TEE in order to hack the payment. 
There is a lot of good research about mobile TEEs 
in the public domain, but no one pays attention 

to trusted apps written by device vendors like 
Xiaomi and not by chip makers, while the core 

of mobile payments is implemented there. In our 
research, we reviewed Xiaomi's TEE for security 
issues in order to find a way to scam WeChat Pay. 


DOING THE IMPOSSIBLE: HOW 
| FOUND MAINFRAME BUFFER 


OVERFLOWS 


Saturday at 14:30 in Track 4 
45 minutes | Demo, Tool, Exploit 


Jake Labelle 


Mainframes run the world, literally. Have 

you ever paid for something, a mainframe 

was involved, flown? Used a bank? Gone to 
college? A mainframe was involved. Do you live 
in a country with a government? Mainframes! 
The current (and really only) mainframe OS 

is z/OS from IBM. If you've ever talked to a 
mainframer you'll get told how they're more 
secure because buffer overflows are (were) 
impossible. This talk will prove them all wrong! 


Finding exploits on z/OS is no different than any 
other platform. This talk will walk through how you 
too can become a mainframe exploit researcher! 


Remote code execution is extra tricky on a 
mainframe as almost all sockets read data with the 
ASCII character set and convert that to EBCDIC for 
the application. With this talk you will find out how 
to find and then remotely overflow a vulnerable 
mainframe C program and create a ASCII -> 
EBCDIC shellcode to escalate your privileges 
remotely, without auth. Previous mainframe talks 
focused on infrastructure based attacks. This talk 
builds on those but adds a class of vulnerabilities, 
opening up the mainframe hacking community. 
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DEJA VU: UNCOVERING STOLEN 
ALGORITHMS IN COMMERCIAL 


PRODUCTS 


Saturday at 15:00 in Track 1 
20 minutes | Demo 


Patrick Wardle 


Tom McGuire 


In an ideal world, members of a community work 
together towards a common goal or greater good. 
Unfortunately, we do not (yet) live in such a world. 


In this talk, we discuss what appears to be a 
systemic issue impacting our cyber-security 
community: the theft and unauthorized use of 
algorithms by corporate entities. Entities who 
themselves may be part of the community. 


First, we'll present a variety of search techniques 
that can automatically point to unauthorized 
code in commercial products. Then we'll show 
how reverse-engineering and binary comparison 
techniques can confirm such findings. 


Next, we will apply these approaches in a real- 
world case study. Specifically, we'll focus on a 
popular tool from a non-profit organization that 
was reverse-engineered by multiple entities such 
that its core algorithm could be recovered and used 
(unauthorized), in multiple commercial products. 


The talk will end with actionable takeaways 

and recommendations, as who knows, this may 
happen to you too! For one, we'll present strategic 
approaches (and the challenges) of confronting 


culpable commercial entities (and their legal teams). 


Moreover, we'll provide recommendations for 
corporations to ensure this doesn't happen in the 
first place, thus ensuring that our community can 
remain cohesively focused on its mutual goals. 


THE BIG RICK: HOW | 
RICKROLLED MY HIGH SCHOOL 
DISTRICT AND GOT AWAY WITH 


IT 


Saturday at 15:00 in Track 2 
20 minutes 


Minh Duong 


What happens when you have networked 
projectors, misconfigured devices, and a bored 
high school student looking for the perfect senior 
prank? You get a massive rickroll spanning six 
high schools and over 11,000 students at one of 
the largest school districts in suburban Chicago. 
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This talk will go over the coordination required 
to execute a hack of this scale and the logistics 
of commanding a botnet of loT systems. It will 
also describe the operational security measures 
taken so that *you* can evade detection, avoid 
punishment, and successfully walk at graduation. 


YOU HAVE ONE NEW 
APPWNTMENT - HACKING 
PROPRIETARY ICALENDAR 


PROPERTIES 


Saturday at 15:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Eugene Lim 


First defined іп 1998, the iCalendar standard 
remains ubiquitous in enterprise software. However, 
it did not account for modern security concerns 

and allowed vendors to create proprietary 
extensions that expanded the attack surface. 


| demonstrate how flawed RFC implementations 
led to new vulnerabilities in popular applications 
such as Apple Calendar, Google Calendar, 
Microsoft Outlook, and VMware Boxer. Attackers 
can trigger exploits remotely with zero user 
interaction due to automatic parsing of event 
invitations. Some of these zombie properties were 
abandoned years ago for their obvious security 
problems but continue to pop up in legacy code. 


Furthermore, | explain how iCalendar's integrations 
with the SMTP and CalDAV protocols enable 
multi-stage attacks. Despite attempts to secure 
these technologies separately, the interactions 

that arise from features such as emailed event 
reminders require a full-stack approach to 

calendar security. | conclude that developers 
should strengthen existing iCalendar standards 

in terms of design and implementation. 


| advocate for an open-source and open- 
standards approach to secure iCalendar 
rather than proprietary fragmentation. | will 
release a database of proprietary iCalendar 
properties and a technical whitepaper. 


АОТОМОТІУЕ ETHERNET 
FUZZING: FROM PURCHASING 


ECU TO SOME/IP FUZZING 


Saturday at 15:30 in Track 1 
20 minutes | Tool 


Jonghyuk Song 
Soohwan Oh 
Woongjo choi 


Car hacking is a tricky subject to hackers because 
it requires lots of money and hardware knowledge 
to research with a real car. An alternative way 
would be to research with an ECU but it also 
difficult to know how to setup the equipment. 


Moreover, in order to communicate with Automotive 
Ethernet services running on the ECU, you need 
additional devices such as media converters and 
Ethernet adapters supporting Virtual LAN(VLAN). 


Even if you succeed in building the hardware 
environment, you can't communicate with the 
ECU over SOME/IP protocol of Automotive 
Ethernet if you don't know the network 
configuration, such as VLAN ID, service IDs 
and IP/port mapped to each service. 


This talk describes how to do fuzzing on 
the SOME/IP services step by step: 


First, we demonstrate how to buy an 
ECU, how to power and wire it. 


Second, we explain network configurations 
to communicate between ECU and PC. 


Third, we describe how to find out the information 
required to perform SOME/IP fuzzing and 
how to implement SOME/IP Fuzzer. 


We have conducted the fuzzing with the 
BMW ECUs purchased by official BMW 
sales channels, not used products. 


We hope this talk will make more people to 
iry car hacking and will not go through the 
trials and errors that we have experienced. 


SATURDAY 


PERIMETER BREACHED! HACKING 


AN ACCESS CONTROL SYSTEM 


Saturday at 15:30 in Track 4 
45 minutes | Demo 


Sam Quinn 


Steve Povolny 


The first critical component to any attack is an entry 
point. As we lock down firewalls and routers, it 

can be easy to overlook the network-connected 
physical access control systems. A study done by 
IBM in 2021 showed that the average cost of a 
physical security compromise is $3.54 million and 
takes an average of 223 days to identify a breach. 


Carrier's LenelS2 is a global distributor of 
access control systems, deployed across 
multiple industries and certified for use in 
federal and state government facilities. 


Trellix’s Threat Labs team uncovered 8 0-day 
vulnerabilities leading to remote, unauthenticated 
code execution on the LenelS2 Mercury 4420 
access control panel. These findings lead to full 
system control including the ability for an attacker 
to remotely manipulate door locks. During this 
presentation, we will deep dive into our hardware 
hacking process including the challenges faced 
such as bypassing the bootloader, hardware- 
based watchdog timers, and authentication. We 
will describe emulation and provide a detailed 
walkthrough of the 8 discovered zero-day 
vulnerabilities, and end to end exploitation using 
malware we designed to control system functionality. 
We culminate the talk with a live demo featuring 
full system control, unlocking doors remotely 
without triggering any software notifications. 


TOR: DARKNET OPSEC BY A 


VETERAN DARKNET VENDOR 


Saturday at 15:30 in Track 2 
45 minutes 


Sam Bent 


The hacking subculture’s closest relative is that of the 
Darknet. Both have knowledgeable people, many 
of whom are highly proficient with technology and 
wish to remain somewhat anonymous. They are 

both composed of a vast amount of introverts and 
abide by the same first rule: “Don’t get caught.” 


Over the past decade, there have been many 
DEF CON talks that have discussed topics related 
to Tor and the Darknet. Having an IT, Infosec, 
and hacking background, the goal is to present a 
unique perspective from a hacker turned Darknet 
Vendor, who then learned about the law and- 
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using metaphorical privilege escalation and social 
engineering-got himself out of federal prison after 
a year and a half by acting as his own lawyer. 


The focus of this talk will surround operational 
security policies that a skilled Darknet Market 
Vendor (DMV) implements to avoid compromising 
their identity. We will look at tactics used by Law 
Enforcement and common attacks prevalent on 
the Darknet, ranging from linguistic analysis and 
United States Postal Inspector operations all the 
way to correlation attacks and utilizing long-range 
wifi antennas to avoid detection as a failsafe. 


By focusing less on the basics of Tor and more 
on how insiders operate within it, we will 
uncover what it takes to navigate this ever- 
evolving landscape with clever OpSec. 


LOW CODE HIGH RISK: 
ENTERPRISE DOMINATION VIA 


LOW CODE ABUSE 


Saturday at 16:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Michael Bargury 


Why focus on heavily guarded crown 
jewels when you can dominate an 
organization through its shadow IT? 


Low-Code applications have become a 

reality in the enterprise, with surveys showing 
that most enterprise apps are now built 

outside of IT, with lacking security practices. 
Unsurprisingly, attackers have figured out ways 
to leverage these platforms for their gain. 


In this talk, we demonstrate a host of attack 
techniques found in the wild, where enterprise 
No-Code platforms are leveraged and abused 
for every step in the cyber killchain. You will 
learn how attackers perform an account takeover 
by making the user simply click a link, move 
laterally and escalate privileges with zero network 
traffic, leave behind an untraceable backdoor, 
and automate data exfiltration, to name a few 
capabilities. All capabilities will be demonstrated 
with POCs, and their source code will be shared. 


Next, we will drop two isolation-breaking 
vulnerabilities that allow privilege escalation 
and cross-tenant access. We will explain 
how these vulnerabilities were discovered 
and assess their pre-discovery impact. 


Finally, we will introduce an open-source recon tool 
that identifies opportunities for lateral movement 
and privilege escalation through low-code platforms. 
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TRAILER SHOUTING: TALKING 
PLC4TRUCKS REMOTELY WITH 


AN SDR 


Saturday at 16:00 in Track 1 
45 minutes | Demo, Tool, Exploit 


Ben Gardiner 


Chris Poore 


Ben Gardiner, Chris Poore and other security 
researchers have been analyzing signals and 
performing research against trailers and Power Line 
Communication for multiple years. This year the 
team was able to disclose two vulnerabilities focused 
on the ability to remotely inject RF messages onto 
the powerline and in turn send un-authenticated 
messages to the brake controller over the link. The 
team will discuss the details of PLCATRUCKS, identify 
what led to this research and the discovery of the 
vulnerabilities, and then highlight the details of 

the SDR and software used to perform the attack. 
The talk will conclude with the demonstration of 

a remotely induced brake controller solenoid test 
using an FL2K and the release of the GNU radio 
block used to perform the test to the community 

to promote further research in the area. 


DEFEATING MOVING ELEMENTS 


IN HIGH SECURITY KEYS 


Saturday at 16:30 in Track 4 
45 minutes | Tool, Exploit 


Bill Graydon 


A recent trend in high security locks is to add 

a moving element to the key: this prevents 
casting, 3D printing and many other forms of 
unauthorised duplication. Pioneered by the Mul- 
T-Lock Interactive locks, we see the technique 
used in recent Mul-T-Lock iterations, the Abloy 
Protec 2 and most recently, the Medeco MA, 
which is only rolling out to customers now. 


We have identified a major vulnerability in this 
technology, and have developed a number of 
techniques to unlock these locks using a key made 
from a solid piece of material, which defeats all of 
the benefits of an interactive key. I'll demonstrate 
how it can be applied to Mul-T-Lock Interactive, 
Mul-T-Lock MT5* and the Medeco M4, allowing 
keys to be duplicated by casting, 3D printing 

and more. ІЛІ also cover other techniques 

to defeat moving elements in a key, such as 
printing a compliant mechanism and printing a 
captive element directly. With this talk, we're 
also releasing a web application for anyone to 
generate 3D printable files based on this exploit. 


Finolly, ІЛІ also discuss the responsible disclosure 
process, and working with the lock manufacturers 
to patch the vulnerability and mitigate the risk. 


WHY DID YOU LOSE THE 

LAST PS5 RESTOCK TO A 

BOT TOP-PERFORMING APP- 
HACKERS BUSINESS MODULES, 
ARCHITECTURE, AND 


TECHNIQUES 


Saturday at 16:30 in Track 2 
45 minutes 


Arik 


The rise of the machines. 


Whenever you are buying online, especially if it’s a 
limited stock item, you are competing against Bots 
and lose miserably. Even when you are asleep, 
there’s a 14% chance that a bot trying to log 

into one of the 200+ digital accounts you own. 


Your mom called to say someone from her bank 
ask for 4 digit SMS? It was an OTP bot. 


Malicious automation is here to stay as it serves 
tens of thousands of hackers and retail scalpers and 
drives billions of dollars worth of marketplaces. 


During my talk, we will deep dive into 
the most fascinating architecture, business 
modules, and techniques top-performing 
of account crackers and retail bots use to 
maximize their success rate and revenue. 


HACKING THE FARM: BREAKING 
BADLY INTO AGRICULTURAL 


DEVICES. 


Saturday at 17:00 in Track 1 
45 minutes | Demo, Tool, Exploit 


Sick Codes 


Hacking the farm. In this session, I'll demonstrate 
tractor-sized hardware hacking techniques, 
firmware extraction, duplication, emulation, 

and cloning. We'll be diving into how the inner 
workings of agricultural cyber security; how such 
low-tech devices are now high-tech devices. The 
“connected farm” is now a reality; a slurry of 
EOL devices, trade secrets, data transfer, and 
overall shenanigans in an industry that accounts 
for roughly one-fifth of the US economic activity. 
We'll be discussing hacking into tractors, combines, 
cotton harvesters, sugar cane and more. 


SATURDAY 


INTERNAL SERVER ERROR: 
EXPLOITING INTER-PROCESS 
COMMUNICATION WITH 
NEW DESYNCHRONIZATION 


PRIMITIVES 


Saturday at 17:00 in Track 3 
45 minutes | Demo, Tool, Exploit 


Martin Doyhenard 


In this talk | will show how to reverse engineer 

a proprietary HTTP Server in order to leverage 
memory corruption vulnerabilities using high level 
HTTP protocol exploitation techniques. To do so, | 
will present two critical vulnerabilities, CVE-2022- 
22536 and CVE-2022-22532, which were found 
іп SAP's proprietary HTTP Server, and could be 
used by a remote unauthenticated attacker to 
compromise any SAP installation in the world. 


First, | will explain how to escalate an error in 

the request handling process to Desynchronize 

data buffers and hijack every user’s account with 
Advanced Response Smuggling. Furthermore, as the 
primitives of this vulnerability do not rely on header 
parsing errors, | will show a new technique to persist 
the attack using the first Desync botnet in history. 
This attack will prove to be effective even in an 
“impossible to exploit” scenario: without a Proxy! 


Next | will examine a Use-After-Free іп the shared 
memory used for Inter-Process Communication. By 
exploiting the incorrect deallocation, | will show 
how to tamper messages belonging to other TCP 
connections and take control of all responses using 
Cache Poisoning and Response Splitting theory. 


Finally, as the affected buffers could 
also contain IPC control data, | will 
explain how to corrupt memory address 
pointers and end up obtaining RCE. 


BLACK-BOX ASSESSMENT OF 


SMART CARDS 


Saturday at 17:30 in Track 4 
45 minutes | Demo, Tool 


Daniel Crowley 


You probably have at least two smart cards in 
your pockets right now. Your credit card, and 
the SIM card in your cell phone. You might also 
have a CAC, metro card, or the contactless key 
to your hotel room. Many of these cards are 
based on the same basic standards and share 
a common command format, called APDU. 
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This talk will discuss and demonstrate how even 
in the absence of information about a given 
card, there are a series of ways to enumerate the 
contents and capabilities of a card, find exposed 
information, fuzz for input handling flaws, and 
exploit poor authentication and access control. 


CROSSING THE KASM -- А 


УҮЕВАЕР PENTEST STORY 


Saturday at 17:30 in Track 2 
45 minutes | Exploit 


Samuel Erb 


Justin Gardner 


In this talk we will tell the story of an insane exploit 
we used to compromise the otherwise secure 
KASM Workspaces software. KASM Workspaces 
is enterprise software for streaming virtual 
workstations to end users built on top of Docker. 


This talk will span python binary RE, header 
smuggling, configuration injection, docker 
networking and questionable RFC interpretation. 
We hope to show you a little bit of what 

worked and a lot a bit of what didn’t work 

on our quest to exploit this heisenbug. 


THE CSRF RESURRECTIONS! 


STARRING THE UNHOLY TRINITY: 


SERVICE WORKER OF PWA, 
SAMESITE OF HTTP COOKIE, 


AND FETCH 


Saturday at 18:00 in Track 3 
45 minutes | Demo, Tool 


Dongsung Kim 


CSRF is (really) dead. SameSite killed it. 
Browsers protect us. Lax by default! 


Sounds a bit too good to be true, doesn’t it? We 
live in a world where browsers get constantly 
updated with brand new web features and new 
specifications. The complexity abyss is getting 
wider and deeper. How do we know web 
technologies always play perfectly nice with each 
other? What happens when something slips? 


In this talk, | focus on three intertwined web 
features: HTTP Cookie’s SameSite attribute, 
PWA’s Service Worker, and Fetch. | will start 

by taking a look at how each feature works 

in detail. Then, | will present how the three 
combined together allows CSRF to be resurrected, 
bypassing the SameSite’s defense. Also, | will 
demonstrate how a web developer can easily 
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introduce the vulnerability to their web apps when 
utilizing popular libraries. | will end the talk by 
sharing the complex disclosure timeline and the 
difficulty of patching the vulnerability due to the 
interconnected nature of web specifications. 


DIGITAL SKELETON KEYS - WE’VE 
GOT A BONE TO PICK WITH 
OFFLINE ACCESS CONTROL 


SYSTEMS 


Saturday at 18:30 in Track 4 
20 minutes | Demo, Tool, Exploit 


Miana E Windall 


Micsen 


Offline RFID systems rely on data stored within the 

key to control access and configuration. But what if a 
key lies? What if we can make the system trust those 
lies? Well then we can do some real spooky things... 


This is the story of how a strange repeating 
data pattern turned into a skeleton key 
that can open an entire range of RFID 
access control products in seconds. 


EMULATION-DRIVEN REVERSE- 
ENGINEERING FOR FINDING 


VULNS 


Sunday at 11:00 in Track 2 
45 minutes | Demo, Tool 


atlas 


do your eyes hurt? is your brain aching? is 
your pain caused from too much deciphering 
difficult assembly (or decompiled C) code? 


assembly can hurt, C code can be worse. 
partial emulation to the rescue! 


let the emulator walk you through the code, 
let it answer hard questions/problems you 
run into in your reversing/vuln research. 


this talk will introduce you the power of emulator- 
driven reversing. guide your RE with the help of 
an emulator (one that can survive limited context], 
emulate code you don't want to reverse, be better, 
learn more, be faster, with less brain-drain. 


make no mistake, RE will always have room 
for magicians to show their wizardry... 

but after this talk, you may find yourself 

a much more powerful wizard. 


SATURDAY “SUNDAY 


EXPLOITATION IN THE ERA OF 
FORMAL VERIFICATION: A PEEK 
AT A NEW FRONTIER WITH 


ADACORE/SPARK 


Sunday at 11:00 in Track 1 
45 minutes | Demo 


Adam ‘pi3’ Zabrocki 


Alex Tereshkin 


For decades, software vulnerabilities have remained 
an unsolvable security problem regardless of years 
of investment in various mitigations, hardening 

and fuzzing strategies. In the last years there have 
been moves to formal methods as a path toward 
better security. Verification and formal methods can 
produce rigorous arguments about the absence 

of the entire classes of security bugs, and are a 
powerful tool to build highly secure software. 


AdaCore/SPARK is a formally defined programming 
language intended for the development of 

high integrity software used in systems where 
predictable and highly reliable operation is crucial. 
The formal, unambiguous, definition of SPARK 
allows a variety of static analysis techniques to 

be applied, including information flow analysis, 
proof of absence of run-time exceptions, proof 

of termination, proof of functional correctness, 

and proof of safety and security properties. 


In this talk we will dive-into AdaCore/SPARK, cover 
the blind spots and limitations, and show real- 
world vulnerabilities which we met during my work 
and which are still possible in the formally proven 
software. We will also show an exploit targeting 
one of the previously described vulnerabilities. 


SAVE THE ENVIRONMENT 
(VARIABLE): HIJACKING 
LEGITIMATE APPLICATIONS WITH 


A MINIMAL FOOTPRINT 


Sunday at 11:00 in Track 3 
45 minutes | Demo, Tool 


Wietze Beukema 


DLL Hijacking, being a well-known technique 
for executing malicious payloads via trusted 
executables, has been scrutinised extensively, 
to the point where defensive measures are 

in a much better position to detect abuse. To 
bypass detection, stealthier and harder-to- 
detect alternatives need to come into play. In 
this presentation, we will take a closer look at 
how process-level Environment Variables can be 


abused for taking over legitimate applications. 
Taking a systemic approach, we will demonstrate 
that over 80 Windows-native executables are 
vulnerable to this special type of DLL Hijacking. 
As this raises additional opportunities for User 
Account Control (UAC) bypass and Privilege 
Escalation, we will discuss the value and further 
implications of this technique and these findings. 


STRACE - A DTRACE ОМ 


WINDOWS REIMPLEMENTATION. 


Sunday at 11:00 in Track 4 
45 minutes | Demo, Tool 


Stephen Eckels 


ІМІ document the kernel tracing APIs in modern 
versions of windows, implemented to support 
Microsofts’ port of the ‘DTrace’ system to windows. 
This system provides an officially supported 
mechanism to perform system call interception 
that is patchguard compatible, but not secure boot 
compatible. Alongside the history and details of 
DTrace this talk will also cover a C++ and Rust 
based reimplementation of the system that | call 
STrace. This reimplementation allows users to write 
custom plugin dlls which are manually mapped to 
the kernel address space. These plugins can then 
log all system calls, or perform any side effects 
before and after system call execution by invoking 
the typical kernel driver APIs - if desired. 


DEFAULTS - THE FAULTS. 
BYPASSING ANDROID 
PERMISSIONS FROM ALL 


PROTECTION LEVELS 


Sunday at 12:00 in Track 4 
45 minutes | Demo, Exploit 


Nikita Kurtin 


Exploring in depth the android permission 
mechanism, through different protection levels. 


Step by step exploitations techniques that 
affect more than 98% of all Android devices 
including the last official release (Android 12). 


In this talk | reveal a few different techniques that | 
uncovered in my research, which can allow hackers 
to bypass permissions from all protection levels in 
any Android device, which is more than 3 billion 
active devices according to the google official stats. 


These vulnerabilities enable the hacker to 
bypass the security measures of android, by 
abusing default (built in) services and get 
access to abilities and resources which are 
protected by permission mechanism. 
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Some vulnerabilities are partially fixed, others won’t 


be fixed as google considers as intended behavior. 


In this talk I'll survey the different vulnerabilities, 
and deep dive into a few of different exploitations. 


Finally, I'll demonstrate how those techniques 
can be combined together to create real life 
implications and to use for: Ransomware, 
Clickjacking, Uninstalling other apps and more, 
completely undetected by security measures. 


PREAUTH RCE CHAINS ON AN 


MDM: KACE SMA 


Sunday at 12:00 in Track 3 
45 minutes | Demo, Exploit 


Jeffrey Hofmann 


MDM solutions are, Бу design, a single point of 
failure for organizations. MDM appliances often 
have the ability to execute commands on most of 
the devices in an organization and provide an 
“instant win” target for attackers. KACE Systems 
Management Appliance is a popular MDM choice 
for hybrid environments. This talk will cover the 
technical details of 3 preauthentication RCE as 
root chains on KACE SMA and the research steps 
taken to identify the individual vulnerabilities used. 


TAKING A DUMP IN THE CLOUD 


Sunday at 12:00 in Track 2 
45 minutes | Demo, Tool 


Melvin Langvik 


Flangvik 


Taking a Dump In The Cloud is a tale of countless 
sleepless nights spent reversing and understanding 
the integration between Microsoft Office resources 
and how desktop applications implement them. The 
release of the TeamFiltration toolkit, connecting all 
the data points to more effectively launch attacks 
against Microsoft Azure Tenants. Understanding the 
lack of conditional access for non-interactive logins 
and how one can abuse the magic of Microsofts 
OAuth implementation with Single-Sign-On to 
exfiltrate all the loot. Streamlining the process of 
account enumeration and validation. Thoughts 

on working effectively against Azure Smart 
Lockout. Exploring options of vertical movement 
given common cloud configurations, and more! 
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THE CALL IS COMING FROM 
INSIDE THE CLUSTER: MISTAKES 
THAT LEAD TO WHOLE CLUSTER 


PWNERSHIP 


Sunday at 12:00 in Track 1 
45 minutes | Demo 


Dagan Henderson 


Will Kline 


Kubernetes has taken the DevOps world by storm, 
but its rapid uptake has created an ecosystem 
where many popular solutions for common 
challenges—storage, release management, 
observability, etc.—are either somewhat immature 
or have been “lifted and shifted" to Kubernetes. 
What critical security smells can pentesters look 
for when looking at the security of a cluster? 


We are going to talk through five different 
security problems that we have found (and 
reported, по O-days here) in popular open- 
source projects and. how you can look for 
similar vulnerabilities in other projects. 


ELECTROVOLT: PWNING 
POPULAR DESKTOP APPS WHILE 
UNCOVERING NEW ATTACK 


SURFACE ON ELECTRON 


Sunday at 13:00 in Track 3 
45 minutes | Demo, Exploit 


Aaditya Purani 


Max Garrett 


Electron based apps are becoming a norm 
these days as it allows encapsulating web 
applications into a desktop app which is 
rendered using chromium. However, if Electron 
apps load remote content of attackers choice 
either via feature or misconfiguration of Deep 
Link or Open redirect or XSS it would lead 

to Remote Code Execution on the OS. 


Previously, it was known that lack of certain 
feature flags and inefficiency to apply best 
practices would cause this behavior but we have 
identified sophisticated novel attack vectors 
within the core electron framework which could 
be leveraged to gain remote code execution 

on Electron apps despite all feature flags being 
set correctly under certain circumstances. 


This presentation covers the vulnerobilities 
found in twenty commonly used Electron 
applications and demonstrates Remote Code 
Execution within apps such as Discord, 
Teams(local file read), VSCode, Basecamp, 
Mattermost, Element, Notion, and others. 


The speaker’s would like to thank Mohan 

Sri Rama Krishna Pedhapati, Application 
Security Auditor, Cure53 and William Bowling, 
Senior Software Developer, Biteable for 

their contributions to this presentation. 


LESS SMARTSCREEN MORE 
CAFFEINE - CLICKONCE (AB)USE 


FOR TRUSTED CODE EXECUTION 


Sunday at 13:00 in Track 1 
45 minutes | Demo, Tool 


Steven Flores 


Nick Powers 


Initial access payloads have historically had limited 
methods that work seamlessly in phishing campaigns 
and can maintain a level of evasion. This payload 
category has been dominated by Microsoft Office 
types, but as recent news has shown, the lifespan 
of even this technique is shortening. A vehicle for 
payload delivery that has been greatly overlooked 
for initial access is ClickOnce. ClickOnce is 

very versatile and has a lot of opportunities for 
maintaining a level of evasion and obfuscation. 

In this talk we'll cover methods of bypassing 
Windows controls such as SmartScreen, application 
whitelisting, and trusted code abuses with ClickOnce 
applications. Additionally, we'll discuss methods 

of turning regular signed or high reputation 

.NET assemblies into weaponized ClickOnce 
deployments. This will result in circumvention of 
common security controls and extend the value of 
ClickOnce in the offensive use case. Finally, we'll 
discuss delivery mechanisms to increase the overall 
legitimacy of ClickOnce application deployment in 
phishing campaigns. This talk can bring to attention 
the power of ClickOnce applications and code 
execution techniques that are not commonly used. 


SUNDAY 


RINGHOPPER — HOPPING FROM 


USER-SPACE TO GOD MODE 


Sunday at 13:00 in Track 2 
45 minutes | Demo, Exploit 


Jonathan Lusky 


Benny Zeltser 


The SMM is a well-guarded fortress that holds 
a treasure - an unlimited god mode. We 
hopped over the walls, fooled the guards, 
and entered the holy grail of privileges. 


An attacker running in System Management 
Mode (SMM) can bypass practically any security 
mechanism, steal sensitive information, install 

a bootkit, or even brick the entire platform. 


We discovered a family of industry wide TOCTOU 
vulnerabilities in various UEFI implementations 
affecting more than 8 major vendors making 
billions of devices vulnerable to our attack. 
RingHopper leverages peripheral devices that 
exist on every platform to perform a confused 
deputy attack. With RingHopper we hop from 
ring 3 (user-space) into ring -2 (SMM), bypass all 
mitigations, and gain arbitrary code execution. 


In our talk, we will deep-dive into this class of 

vulnerabilities, exploitation method and how it 
can be prevented. Finally, we will demonstrate 
a PoC of a full exploitation using RingHopper, 
hopping from user-space into SMM. 


THE JOURNEY FROM AN 
ISOLATED CONTAINER TO 
CLUSTER ADMIN IN SERVICE 


FABRIC 


Sunday at 13:00 in Track 4 
45 minutes | Demo, Exploit 


Aviv Sasson 


Service Fabric is a scalable and reliable 

container orchestrator developed by Microsoft. 
It is widely used in Microsoft Azure as well as in 
Microsoft's internal production environments as 
an infrastructure for containerized applications. 


Developing a container orchestrator is not an easy 
task as it involves harnessing many technologies 

in a complicated and distributed environment. 

This complexity can ultimately lead to security 
issues. Such security issues can impose a critical 
risk since compromising an infrastructure allows 
attackers to escalate their privileges and take over 
an entire environment quickly and effectively. 
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In this session, Aviv will share his research on 
Service Fabric and his journey of escalating from 

an isolated container to cluster admin. He will go 
through researching the code and finding a zero- 
day vulnerability, explaining his exploitation process 
in Azure Service Fabric offering while dealing with 
race conditions and other limitations, and explain 
how it all allowed him to break out of his container 
and HyperV virtual machine to later gain full 

control over the underlying Service Fabric cluster. 


In the end, he will share his thoughts on security in 
the cloud and his concerns on cloud multitenancy. 


SOLANA JIT: LESSONS FROM 
FUZZING A SMART-CONTRACT 


COMPILER 


Sunday at 14:00 in Track 4 
45 minutes | Demo, Tool 


Thomas Roth 


Solana is a blockchain with a $37 billion dollar 
market cap with the security of that chain relying 
on the security of the smart contracts on the chain 

- and we found very little research on the actual 
execution environment of those contracts. In contrast 
to Ethereum, where contracts are mostly written 

in Solidity and then compiled to the Ethereum 
Virtual Machine, Solana uses a different approach: 
Solana contracts can be written in C, Rust, and 
C++, and are compiled to eBPF. Underneath the 
hood, Solana uses rBPF: A Rust BPF implementation 
with a just-in-time compiler. Given the security 


history of eBPF in the Linux kernel, and the lack 
of previous public, low-level Solana research, we 
decided to dig deeper: We built Solana reverse- 
engineering tooling and fuzzing harnesses as 
we slowly dug our way into the JIT - eventually 
discovering multiple out-of-bounds vulnerabilities. 


CONTEST CLOSING 


CEREMONIES & AWARDS 
Sunday at 14:00 in Track 3 
75 minutes 


Grifter 


DEF CON Contest & Events Awards, 
come find out who won what!! 


DEF CON CLOSING CEREMONIES 


& AWARDS 


Sunday at 15:30 in Tracks 1 & 2 
Till it ends 


The Dark Tangent 


DEF CON Closing Ceremonies & Awards, 

the Uber Black badges are awarded to the 
winners of CTF and several other contests that 
earned a Black badge for DEF CON 30! We 
will wrap up the con, say thanks where it's 
due, and acknowledge special moments. 


016@ВЕҮ 
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ОЗМВ 


AADINTERNALS: THE ULTIMATE 
AZURE AD HACKING TOOLKIT 


Nestori Syynimaa 
Friday trom 14:00 - 15:55 in Committee 


AADInternals is an open-source hacking toolkit for 
Azure AD and Microsoft 365, having over 14,000 
downloads from the PowerShell gallery. Іс has over 
230 different functions іп 15 categories for various 
purposes.The most famous ones are related to 
Golden SAML attacks: you can export AD FS token 
signing certificates remotely, forge SAML tokens, 
and impersonate users w/ MFA bypass. These 
techniques have been used in multiple attacks during 
the last two years, including Solorigate and other 
NOBELIUM attacks. AADInternals also allows you 
to harvest credentials, export Azure AD Connect 
passwords and modify numerous Azure AD / Office 
365 settings not otherwise possible. The latest update 
can extract certificates and impersonate Azure 

AD joined devices allowing bypassing device based 
conditional access rules. https://o365blog.com/ 
aadinternals/ https://attack.mitre.org/software/S0677 


Audience: Blue teamers, red teamers, administrators, wannabe-hackers, 
etc. 


ACCESS UNDENIED ON AWS 


Noam Dahan 
Friday from 10:00 - 11:55 in Caucus 


Access Undenied on AWS analyzes AVVS 
CloudTrail AccessDenied events - it scans the 
environment to identify and explain the reasons 
for which access was denied. When the reason 

is an explicit deny statement, AccessUndenied 
identifies the exact statement. When the reason is 
a missing allow statement, AccessUndenied offers 
a least-privilege policy that facilitates access. 


Audience: Cloud Security, Пе 


AWSGOAT : A DAMN 
VULNERABLE AWS 
INFRASTRUCTURE 


Jeswin Mathai, Sanjeev Mahunta 
Friday from 14:00 - 15:55 in Caucus 


Compromising an organization's cloud infrastructure is 
like sitting on a gold mine for attackers.And sometimes, 
a simple misconfiguration or a vulnerability in web 
applications, is all an attacker needs to compromise 

the entire infrastructure. Since cloud is relatively 

new, many developers are not fully aware of the 
threatscape and they end up deploying a vulnerable 
cloud infrastructure. When it comes to web application 
pentesting on traditional infrastructure, deliberately 
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vulnerable applications such as DVWA and БУУАРР 
have helped the infosec community in understanding 
the popular web attack vectors. However, at this point 
in time, we do not have a similar framework for the 
cloud environment. In this talk, we will be introducing 
AWSGoat, a vulnerable by design infrastructure on 
AWS featuring the latest released OWASP Top 10 
web application security risks (2021) and other 
misconfiguration based on services such as ІАМ, 

S3, API Gateway, Lambda, EC2, and ECS. AWSGoat 
mimics real-world infrastructure but with added 
vulnerabilities. The idea behind AWSGoat is to provide 
security enthusiasts and pen-testers with an easy 

to deploy/destroy vulnerable infrastructure where 
they can learn how to enumerate cloud applications, 
identify vulnerabilities, and chain various attacks to 
compromise the AWS account. The deployment scripts 
will be open-source and made available after the talk. 


Audience: Cloud, Ofference, Defense 


AZUREGOAT: DAMN 
VULNERABLE AZURE 
INFRASTRUCTURE 


Nishant Sharma, Rachna Umraniya 
Friday from 12:00 - 13:55 in Committee 


Microsoft Azure cloud-has become the second-largest 
vendor.by-market share in the cloud infrastructure 
providers (as per multiple reports), just behind 
AWS.There are numerous tools and vulnerable 
applications available for AWS for the security 
professional to perform attack/defense practices, 
but it is not the case with Azure. There are far fewer 
options available to the community. AzureGoat 

is our attempt to shorten this gap by providing 

a ready-to-deploy vulnerable setup (vulnerable 
application + misconfigured Azure components + 
multiple attack paths) that can be used to learn/ 
teach/practice Azure cloud environment pentesting. 


Audience: Cloud, Offence, Defense 


BADRATS: INITIAL ACCESS MADE 
EASY 


Kevin Clark, Dominic "Cryillic" Cunningham 
Friday from 14:00 - 15:55 in Society 


Remote Access Trojans (RATs) are one of the defining 
tradecraft for identifying an Advanced Persistent 
Threat. The reason being is that APTs typically leverage 
custom toolkits for gaining initial access, so they 

do not risk burning full-featured implants. Badrats 
takes characteristics from APT Tactics, Techniques, 

and Procedures (TTPs) and implements them into 

a custom Command and Control (C2) tool with a 
focus on initial access and implant flexibility. The key 


goal is to emulate that modern threat actors avoid 
loading fully-featured implants unless required, instead 
opting to use a smaller staged implant. Badrats 
implants are written in various languages, each with 

a similar yet limited feature set. The implants are 
designed to be small for antivirus evasion and provides 
multiple methods of loading additional tools, such 

as shellcode, .NET assemblies, PowerShell, and shell 
commands on a compromised host. One of the most 
advanced TTPs that Badrats supports is peer-to- 

peer communications over SMB to allow implants to 
communicate through other compromised hosts. 


Audience: Offense 


Adrien Ogee 
Friday from414:00 15:55 in Accord 


The CyberPeace Builders are pro hackers who 
volunteer to help NGOs improve their cybersecurity. 
Through a portal that І demo, hackers can access 

a variety of short engagements, from | to 4 hours, 

to provide targeted cybersecurity help to NGOs 

on topics ranging from staff awareness to DMARC 
implementation, password management and 
authentication practices, breach notification, OSINT 
and dark web monitoring, all the way to designing 

a cyber-related poster for the staff, reviewing their 
privacy policy and cyber insurance papers. The 
programme is the world’s first and only skills-based 
volunteering opportunity for professionals in the 
cybersecurity industry; it has been prototyped over 
2 years, was launched in July 2021 and is now being 
used by over 60 NGOs worldwide, ultimately helping 
to protect over 350 million vulnerable people and 
$500 million in funds. I'll demo the platform, show the 
type of help NGOs need and explain how INGOs and 
security professionals can leverage the programme. 


Audience: Security professionals, NGOs 


Michael Messner, Pascal Eckmann 
Friday from 12:00 - 13:55 in Council 


Penetration testing of current embedded devices 

is quite complex as we have to deal with different 
architectures, optimized operating systems and special 
protocols. EMBA is an open-source firmware analyzer 
with the goal to simplify, optimize and automate 

the complex task of firmware security analysis: 


Audience: Offense (penetration testers) and defense (seetrifytetim and 
developers). 


Christopher Poore 
Friday from 10:00 - 11:55 in Council 


FISSURE is an open-source RF and reverse engineering 
framework designed for all skill levels with hooks for 
signal detection and classification, protocol discovery, 
attack execution, IO manipulation, vulnerability analysis, 
automation, and Al/ML. The framework was built to 
promote the rapid integration of software modules, 
radios, protocols, signal data, scripts, flow graphs, 
reference material, and third-party tools. FISSURE is a 
workflow enabler that keeps software in one location 
and allows teams to effortlessly get up to speed while 
sharing the same proven baseline configuration for 
specific Linux distributions. The framework and tools 
included with FISSURE are designed to detect the 
presence of RF energy, understand the characteristics 
of a signal, collect and analyze samples, develop 
transmit and/or injection techniques, and craft custom 
payloads or messages. FISSURE contains a growing 
library of protocol and signal information to assist 

in identification, packet crafting, and fuzzing. Online 
archive capabilities exist to download signal files and 
build playlists to simulate traffic and test systems. 


Audience: RF Wireless, SDR, Offense, Defense 


David McGrew, Brandon Enright 
Friday from 12:00 - 13:55 in Society 


Mercury is an open source package for network 
metadata extraction and analysis. It reports session 
metadata including fingerprint strings for TLS, QUIC, 
HTTP, DNS, and many other protocols. Mercury 
can output JSON or PCAP. Designed for large 
scale use, it can process packets in real time at 
40Gbps on server-class commodity hardware, 
using Linux native zero-copy high performance 
networking. The Mercury package includes tools 
for analyzing PKIX/X.509 certificates and finding 
weak keys, and for analyzing fingerprints with 
destination context using a naive Bayes classifier. 


Audience: Network defense, incident response, forensics, security and 
агу research 


Dan Nagle 
"шет 12:00 - 13:55 in Accord 


Packet Sender is a free open-source (GPLv2) cross- 
platform (Windows, Mac, Linux) tool used daily by 
security researchers, college students, and professional 
developers to troubleshoot and reverse engineer 
network-based devices. Its core features are crafting 
and listening for UDP, TCP, and SSL/TLS packets via IPv4 


or IPv6. It can listen simultaneously оп any number of 
ports while sending to any UDP, TCP, SSL/TLS packet 
server. It is available for direct download or through 
the Winget, Homebrew, Debian, or Snap repos. 


Audience: Offensive, Defensive, Developers; Testers 


Ulf Frisk, lan Vitek 
Friday trom 14:00 15:55 in Council 


The PClLeech direct memory access attack toolkit was 
presented at DEF CON 24 and quickly became popular 
amongst red teamers and game hackers alike. We will 
demonstrate how to take control of still vulnerable 
systems with PCle DMA code injection using affordable 
FPGA hardware and the open source PClLeech 

toolkit. MemProcFS is memory forensics and analysis 
made super easy! Analyze memory by clicking on files 
in a virtual file system or by using the АРІ. Analyze 
memory dump files or live memory acquired using 
drivers or PClLeech PCle FPGA hardware devices. 


Audience: Offense, Defense, Forensics, Hardware 


Matthew Handy 
Friday from 10:00 - 11:55 in Accord 


TheAllCommander is an open-source tool which offers 
red teams and blue teams a framework to rapidly 
prototype and model malware communications, as well 
as associated client-side indicators of compromise. 
The framework provides a structured, documented, 
and object-oriented API for both the client and 

server, allowing anyone to quickly implement.a novel 
communications protocol between a simulated malware 
daemon and its.command and control server. For 

Blue Teamers, this allows rapid modeling of emerging 
threats and comprehensive testing іп а controlled 
manner to develop reliable detection models. For Red 
Teamers, this framework allows rapid iteration and 
development of new, protocols and communications 
schemes with ап easy to use Python interface. The 
framework has many tools or techniques used by red 
teams built in, such as а SOCKS5 proxy, which then 
use the implemented communication scheme. This 
allows comprehensive testing of the detection and 
functional capability of the communication scheme, 
allowing for efficient design and development choices 
to be made before committing to production tool 
development. To facilitate this goal, TheAllCommander 
includes a Java based command and control server 
with a simple API to allow new plug-ins for server- 
side control. There is a python-based emulation 

client, which can be easily extended using the API 

to allow new client side communications code. 

Several reference implementations for covert 

malware communication are provided to allow 


out-of-the-box modeling, including emulated 

client browser HTTPS traffic, DNS queries, and 
email traffic. The tool chain includes support for 
several common Red Team tactics, such as Remote 
Desktop tunneling and FODHelper UAC bypass. 


This implementation effectively generates both client 


side and network traffic indicators of compromise. 


Audience; Offense, Defense 


Raunak Parmar 
Friday from 10:00 - 11:55 in Committee 


Vajra (Your Weapon to Cloud) is a framework 
capable of validating the cloud security posture of the 
target environment. In Indian mythology, the word 
Vajra refers to the Weapon of God Indra (God of 
Thunder and Storms). Because it is cloud-connected, 
it is an ideal name for the tool.Vajra supports multi- 
cloud environments and a variety of attack and 
enumeration strategies for both AWS and Azure. It 
features an intuitive web-based user interface built 
with the Python Flask module for a better user 
experience. The primary focus of this tool is to have 
different attacking and enumerating techniques all in 
one place with web UI interfaces so that it сап be 
accessed anywhere by just hosting it on your server. 
The following modules are currently available: 


* Azure 


- Attacking 


1. OAuth Based Phishing (Illicit Consent 
Grant Attack) 


- Exfiltrate Data 
- Enumerate Environment 
- Deploy Backdoors 
- Send mails/Create Rules 
2. Password Spray 
3. Password Brute Force W 
- Enumeration 
1. Users 
2. Subdomain 
3. Azure Ad 
4. Azure Services 
- Specific Service 
1. Storage Accounts 
* AWS 
- Enumeration 
1. IAM Enumeration 
2. S3 Scanner 


- Misconfiguration 


Audience: Security Professional Cloud Engineer 


WAKANDA LAND 


Stephen Kofi Asamoah 
Friday from 12:00 = 13:55 in Caucus 


Wakanda Land is a Cyber Range deployment tool 

that uses terraform for automating the process of 
deploying an Adversarial Simulation lab infrastructure 
for practicing various offensive attacks. This project 
inherits from other people’s work in the Cybersecurity 
Community, to which | have added some additional 
sprinkles to their work from my other research. The 
tool deploys the following for the lab infrastructure 
(of course, more assets can be added): -Two Subnets 
-Guacamole Server --This provides dashboard access to 
--Kali GUI and Windows RDP instances The Kali GUI, 
Windows RDP and the user accounts used to log into 
these instances are already backed into the deployment 
process --To log into the Guacamole dashboard with 
the guacadmin account, you need to SSH into the 
Guacamole server using the public IP address (which is 
displayed after the deployment is complete) and then 
change into the guacamole directory and then type 

cat .env for the password (the guacadmin password 

is randomly generated and saved as an environment 
variable) -Windows Domain Controller for the Child 
Domain (first.local) -Windows Domain Controller for 
the Parent Domain (second.local) -Windows Server 

in the Child Domain -Windows 10 workstation in 

the Child Domain -Kali Machine - a directory called 
toolz is created on this box and Covenant C2 is 
downloaded into that folder, so its just a matter of 
running Covenant once you are authenticated into Kali 
-Debian Server serving as Web Server | - OWASP's 
Juice Shop deployed via Docker -Debian Server 
serving as Web Server 2 - Vulnerable web apps 


Audience: Offensive - Defensive - Any Cybersecurity enthusiasts 


ZUTHAKA: A COMMAND & 
CONTROLS (С25) INTEGRATION 
FRAMEWORK 


Lucas Bonastre, Alberto Herrera 
Friday from 10:00 - 11:55 in Society 


The current C2s ecosystem has rapidly grown in 
order to adapt to modern red team operations 

and diverse needs (further information on,€2 
selection can be found here). This comes With a lot of 
overhead work for Offensive Security professionals 
everywhere. Creating a C2 is already a demanding 
task, and most C2s available lack an intuitive and 

вазу. to use web interface. Most Red Teams must 
independently administer and understand each C2 


in their infrastructure. Zuthaka presents a simplified 
АРІ for fast and.clear integration of C2s and provides 
a centralized management for multiple C2 instances 
through a unified interface for Red Team operations.A 
collaborative free open-source Command & Control 
development framework that allows developers to 
concentrate on the core function and goal of their C2. 
Zuthaka is more than just a collection of C2s, it is also 
a solid foundation that can be built upon and easily 
customized to meet the needs of the exercise that 
needs to be accomplished. This integration framework 
for C2 allows developers to concentrate on a unique 
target environment and not have to reinvent the 
wheel. After we first presented Zuthakas’ MVP at 
Black hat USA 2021 апа DEFCON demo labs, we are 
now presenting the first release with updated post- 
exploitation modules to support text based modules, 
as well as file based ones. With a lab populated of 
commonly used C2s and its out-of-the-box integrations. 


Audience: Red team operators, wishing a centralized place to handle all 
(2s instances. (2 developers, wishing to save the effort of writing the 
Frontend. Hackers, wishing a strong infrastructure to run C25. 


ALSANNA 


Jason Johnson 
Saturday from 12:00 - 13:55 in Accord 


alsanna is a command-line based intercepting proxy 
for arbitrary TCP traffic. It includes built-in support 
for decrypting TLS streams, and allows editing the 
stream as it passes over the network. It is deliberately 
lightweight and documented to help hackers who 
need to modify its behavior. This demo will 
include live instances of the tool which can be 

used by visitors, live support for anyone looking to 
learn how to use alsanna, and a short on-demand 
walkthrough for visitors, covering how the tool 
works and what you need to know to modify it. 


Audience: Researchers, reverse engineers, pentesters, bug bounty hunters 


CONTROL VALIDATION 
COMPASS - THREAT MODELING 
AIDE & PURPLE TEAM CONTENT 
REPO 


Scott Small 
ШШ from 14:00 - 15:55 іп Caucus 


Control Validation Compass ("Control Compass") 
próvides a needed public resource that enables 
cyber security teams to actually operationalize 
MITRE ATT&CK for its best purpose: prioritized 
control validation. Control Compass unites tens 

of thousands of detection rules, offensive security 
scripts, and policy recommendations from 60+ open 
sources — all aligned with MITRE ATT&CK — into the 
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D3HD 


largest single, continuously updated reference library 
for such content, wrapped in an easily searchable 
interface. This saves defenders, red teamers, and 

intel & GRC analysts serious time & effort when 
researching content for purple teaming efforts (aka 
control validation). Like its input components and 
sources, Control Compass resource sets are openly 
available to all, no strings attached. Control Compass 
supports a powerful second use case informed by its 
author's experience advising security & intelligence 
teams across maturity levels: the tool also provides 

a library of unique, openly available threat landscape 
summaries organized by key adversary categories, 
including motivation, location, and victim industry. 

By enabling easy identification of relevant threat 
intelligence — and a simple Ul-based workflow to 
instantly surface corresponding security controls — 
Control Compass greatly lowers the barrier to building 
accurate, intelligence-driven threat models and helps 
drive tighter control validation feedback loops around 
the threats that matter most to a given organization. 


Audience: Intelligence analysts, SOC/blue team/defenders, red team/ 
adversary emulation, GRC analysts 


DEFENSIVE 5G 


Eric Mair, Ryan Ashley 
Saturday from 12:00 - 13:55 іп Council 


In this work we developed a 4.5G/5G network using 
only commercial off the shelf (COTS) hardware and 
open-source software to serve as test-infrastructure 
for studying vulnerabilities in-5G networks. We are 
using software defined networking (SDN) tools such as 
Faucet and Dovesnap and software defined radio(SDR) 
capabilities such as Open5gs and srsRAN along with 
Docker Containers to facilitate the rapid and reliable 
setup and configuration of network topologies that 
can be used to represent the 5G networks that we 
intend to test. By having a configurable and repeatable 
mechanism that could be shared among multiple users 
with differing hardware setups we were able to test 
5G network configurations in a variety of ways and 
have those results validated by other team members. 


Audience: Network Detense and асс 56, Software Defined Radio and 
Infrasiructure-as-Code. 


EDR DETECTION MECHANISMS 
AND BYPASS TECHNIQUES WITH 
EDRSANDBLAST 


Thomas Diot, Maxime Meignan 
Saturday from 10:00 - 11:55 in Society 


EDRSandBlast is a tool written іп C that implements 
and industrializes known as well as original bypass 
techniques to make EDR evasion easier during 
adversary simulations. Both user-land and kernel-land 
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EDR detection capabilities can be bypassed, using 
multiple unhooking techniques and a vulnerable signed 
driver to unregister kernel callbacks and disable the 
ETW Threat Intelligence provider. Since the initial 
release, multiple improvements have been implemented 
in EDRSandBlast: it is now possible to use this toolbox 
as a library from another attacking tool, new bypasses 
have been implemented, the embedded vulnerable 
driver is now interchangeable to increase stealthiness 
and the use of a pre-built offsets database is no more 
required! Come discover our tool and its new features, 
learn (or teach us!) something about EDRs апа discuss 
about the potential improvements to this project. 


Audience: Offense, Defense, Windows, EDR 


EMPIRE 4.0 AND BEYOND 


Vincent “Vinnybod” Rose, Anthony 
W“Cx01N” Rose 
Saturday from 10:00 = 11:55 in Accord 


Empire is a Command and Control (C2) framework 
powered by Python 3 that supports Windows, Linux, 
and macOS exploitation. It has evolved significantly 
since its introduction in 2015 and has become one 
of the most widely used open-source C2 platforms. 
Starting life as PowerShell Empire and later-merging 
in Empyre, Empire is now a full-fledged .NET C2 
leveraging PowerShell; Python, C#, and Dynamic 
Language Runtime (DLR) agents. It offers a flexible 
modular architecture that links Advanced Persistent 
Threats (АРТ5) Tactics, Techniques, and Procedures 
(TTPs) through ће MITRE AT T&CK-database. The 
framework aims to provide a flexible and easy-to- 
use interface to easily incorporate a wide array of 
tools into a single platform for red team operations 
to emulate APTs. This presentation will explore 
our mostirecent upgrades in Empire 4.0, including 
G# and IronPython agents, Customizable Bypasses, 
Malleable HTTP C2, Donut Integration, Beacon 
Object File (BoF), and much more. In addition, 

our team will be giving a preview of Empire 5.0 

and its features. The most exciting of these being 
the brand-new web client (Starkiller 2.0) and v2 
АРІ, which will be released later this year. 


Audience: Offense 


HLS4ML - OPEN SOURCE 
MACHINE LEARNING 
ACCELERATORS ON FPGAS 


Ben Hawks, Andres Meza 
Saturday from 14:00 - 15:55 in Council 


Born from the high energy physics community at the 
Large Hadron Collider, hls4ml is an open-source Python 
package for machine learning inference in FPGAs 

(Field Programmable Gate Arrays). It creates firmware 


implementations of machine learning algorithms by 
translating traditional, open-source machine learning 
package models into optimized high level synthesis 
C++ that can then be customized for your use case 
and implemented on devices such as FPGAs and 
Application Specific Integrated Circuits (ASICs). Hls4ml 
can easily scale the implementation of a model to take 
advantage of the parallel processing capabilities that 
FPGAs offer, not only allowing for low latency, high 
throughput designs, but also designs sized to fit on 
lower cost, resource constrained hardware. Hls4ml also 
supports generating accelerators with different drivers 
that build minimal, self-contained implementations 
which enable control via Python or C/C++ with 

little extra development or hardware expertise. 


Audience: Hardware, Al, lol FPGA 


INJECTYLL-HIDE: PUSHING 
THE FUTURE OF HARDWARE 
IMPLANTS TO THE NEXT LEVEL 


Jonathan Fischer, Jeremy Miller 
Saturday from 10:00 - 11:55 in Council 


Enterprises today are shifting away from dedicated 
workstations, and moving to flexible workspaces 

with shared hardware peripherals. This creates 

the ideal landscape for hardware implant attacks; 
however, implants have not kept up with this shift. 
While closed source, for-profit solutions exist and 
have seen some recent advances in innovation, they 
lack the customization to adapt to large targeted 
deployments. Open-source projects exist but focus 
more on individual workstations (dumb keyboards/ 
terminals) relying on corporate networks for remote 
control. Our solution is an open source, hardware 
implant which adopts loT technologies, using non- 
standard channels to create a remotely managed 

mesh network of hardware implants.Attendees will 
learn how to create a new breed of open-source 
hardware implants. Topics covered in this talk include 
the scaling of implants for enterprise takeover, creating 
and utilizing a custom C2 server, a reverse shell that 
survives screen lock, and more. They will also leave 
with a new platform from which to innovate custom 
implants. Live demos will be used to show these new 
tactics against real world infrastructure. This talk builds 
off of previous implant talks but will show how to 
leverage new techniques and technologies to push the 
innovation of hardware implants forward evolutionarily. 


Audience: Offense and Red Teams with a focus on a һагб' дә ИШ 


MEMFINI - А SYSTEMWIDE 
MEMORY MONITOR INTERFACE 
FOR LINUX 


Shubham Dubey, Rishal Dwivedi 
Saturday from 10:00 - 11:55 in Caucus 


Surprisingly, memory related events logging has been 
ignored by monitoring tool's authors since a long 

time. There are multiple event loggers present for 
Linux that are capable of monitoring processes, i/o 
operations, function calls or whole systemwide events. 
But something which lacks in most is global monitoring 
of memory related events like allocation, attachment 
to a shared memory, memory allocation in foreign 
process etc. This has many applications in security 
domain or even software engineering in general. The 
main area of focus or use case for Memfini is to assist 
Security professionals for carrying out memory specific 
Dynamic Malware Analysis, in order to help them 

in finding indicators for malicious activities without 
reversing the behavior. Below listed are few of the use 
cases (which we will also be demonstrating in the talk). 


* Process Injection 

* Fileless malware execution 

* Shellcode Execution 

* Malicious shared memory usage 


On the other hand, it can also be helpful for 
Software developers, who wish to have an 
eagle eye on the memory allocations 


* Finding Memory Leaks 
* Error detection for debugging purposes. 


This is possible as Memfini is capable of monitoring 
memory allocations on User space, Kernel space 

as well as some under looked allocations like PCI 
device mapping, DMA allocations etc. It provides a 
command line interface with multiple filters, allowing 
a user to interact with the logs generated & get the 
required data. Currently, the user will be able to filter 
the events by individual process, type of access etc. 


Audience: Defensive security(Malware researcher, IR/Forensics) and 
Offensive security(memory based vulnerability discovery) 


OPENTDF 


Paul Flynn, Cassandra Bailey 
Saturdgydtom 14:00 - 15:55 in Accord 


OpenTDF is an open source project that 
provides developers with the tools to build data 
protections natively within their applications 
using the Trusted Data Format (TDF). 


Audience: AppSec, Defense, Mobile, loT 
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Abdul Alanazi, Musaed Bin Muatred 
Saturday trom 12:00 = 13:55 in Committee 


PMR (PTVA Management & Reporting) is an open- 
source collaboration platform that closes the gap 
between InfoSec Technical teams and Management in all 
assessment phases, from planning to reporting. Technical 
folks can focus on assessment methodology planning, 
test execution ,and engagement collaboration. Whereas 
management can plan engagements, track progress, 
assign testers, monitor remediation status, and escalate 
SLA breaches, this is an All-in-One fancy dashboard. 
The main features are:A) *Asset Management* 

which allows IT asset inventory tracking with system 
owner contacts. B) *Engagements Management & 
Planning* that enable security testers to follow a 

test execution roadmap by creating a new testing 
methodology or follow execution standards such as 
NIST, PTES or OWASP. It definitely will keep pentesting 
engagements and projects more professional. Also, it 
enables collaborative testing, gathering information 

and evidence uploading. C) *Report Automation* 

that automates boring tasks such as writing technical 
reports and validation reports. Generating a PDF 
report that is ready to share with clients and 
management can be accomplished with one-click. D) 
*All-in-One Dashboard* that will keep executives 

and management up-to-date with the organization's 
security posture. The dashboard components are: 


- High level of current vulnerabilities. 
- Engagement progress. 

- Remediation Status. 

- Track SLA breaches. 

- Monitoring risk exceptions. 


Audience: Security professionglssilllinerubilit JW ўсі, Арран 
Risk Management 


Logan Arkema 
Saturday trom 14:00 15:55 іп Commiiffee 


ResidueFree is a privacy-enhancing tool that allows 
individuals to keep sensitive information off their 
device's filesystem. It takes on-device privacy 
protections from TAILS and “incognito” web browser 
modes and applies them to any app running on a 
user's regular operating system, effectively making 
the privacy protections offered by TAILS more usable 
and accessible while improving the on-device privacy 
guarantees made by web browsers and extending 
them to any application. While ResidueFree currently 
runs on Linux, its maintainers are hoping to port it 
to other operating systems in the near future. In 


addition, ResidueFree can help forensic analysts 

and application security engineers isolate filesystem 
changes made by a specific application. The same 
implementation ResidueFree uses to ensure that any 
file changes an application makes are not stored to 
disk can also be used to isolate those changes to a 
separate folder without impacting the original files. 


Audience: ResidueFree was primarily developed for individuals facing 
privacy threats that. can access the information stored on the individuals’ 
device, However, this presentation is also designed for security trainers 
that want to.expand the tools they can suggest as well as for privacy 
engineers interested in contributing to ResidueFree or expanding it to more 
commonly.used operating systems. ResidueFree also has features built for 
malware or forensic analysts, application security engineers, or others who 
wish to easily isolate an application’s changes fo a device s filesystem with 
a simple tool. 


Chris Thompson, Duane Michael 
Saturday from 12:00 - 13:55 in Society 


SharpSCCM is a post-exploitation tool designed to 
leverage Microsoft Endpoint Configuration Manager 
(a.k.a. ConfigMgr, formerly SCCM) for lateral 
movement from a C2 agent without requiring access 
to the SCCM administration console. SharpSCCM 
supports lateral movement functions ported from 
PowerSCCM and.contains additional functionality to 
abuse.newly discovered attack primitives for coercing 
NTLM authentication from local administrator and 
SCCM site server machine accounts in environments 
where automatic client push installation is enabled. 
SharpSCCM can also dump information about. the 
SCCM environment from a client, including domain 
credentials for Network Access Accounts. Further, with 
access to an SCCM-administrator account, operators 
of SharpSCCM can execute code as SYSTEM or coerce 
NTLM authentication from the currently logged-in 
user or the machine account on any SCCM client. 


етеп: Offense; Defense, System Administrators 


Ankur Tyagi 
Saturday from 10:00 - 11:55 in Committee 


Writeups for CTF challenges and machines are a 
critical learning resource for our community. For the 
author, it presents an opportunity to document their 
methodology, tips/tricks and progress. For the audience, 
it serves as reference material. Oftentimes, authors 
switch roles and become the audience to learn from 
their own work.This demo aims to showcase tools, 
svachal and machinescli, developed with these insights. 


These work іп conjunction to help users curate their 
learning in .yml structured files, find insights and 
query this knowledge base as and when needed. 


Audience: Offense/Defense 


Quentin Kaiser, Florian Lukavsky 
Saturday from 12:00 - 13:55 in Caucus 


Unblob is a command line extraction tool to 

obtain content from any kind of binary blob. It has 
been initially developed for the sound and safe 
extraction of arbitrary firmware images. It has 

been built as a modular framework where anyone 
can develop and submit new format handlers and 
extractors.|ts public version already supports a large 
number of filesystems, archive, and compression 
formats: https://github.com/onekey-sec/unblob 


Audience; Reverse Engineers, Embedded Security 


CONNECT 


OFFICIAL SITES 


Solomon Sonya 
Saturday from 14:00 - 15:55 in Society 


Malware continues to advance in sophistication. Well- 
engineered malware can obfuscate itself from the user 
and the OS. Volatile memory is the unique structure 
malware cannot evade. | have engineered a new 
construct for memory analysis and a new open-source 
tool that automates memory analysis, correlation, and 
user-interaction to increase investigation accuracy, 
reduce analysis time and workload, and better detect 
malware presence from memory. This talk demos a 
new visualization construct that creates the ability to 
interact with memory analysis artifacts. Additionally, 
this talk demos new, very impactful data XREF and 

a system manifest analysis features. Data XREF 
provides an index and memory context detailing 

how your search data is coupled with processes, 
modules, and events captured in memory. The System 
Manifest distills the analysis data to create a new 
memory analysis snapshot and precise identification of 
malicious artifacts detectable from malware execution 
especially useful for exploit dev and malware analysis! 


Audience: Malware Analysts/Software Reverse Engineers Exploit 
Developers CTF Subject Matter Experts Incident Responders Digital 
Forensics Examiners Offense & Defense 


U.S. SOCIAL MEDIA 


ЕЙ ©) ы] т 
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88 


CRYPTO — 
CURRENCY 
HACKERS 


BOARD SOURCE 


Boardsource sells custom keyboard kits designed for 
programmers, geeks, hackers, or anyone who spends a 
lot of time in a text editor. Products range from entry-level 
solderable kits and electrical components to products that 
are ready to use out of the box. Come by the booth to 
test out some keyboards and see what we have to offer! 


CAPITOL TECHNOLOGY 
UNIVERSITY 


Capitol Technology University, an independent, non- 
profit university in Maryland, is laser-focused on STEM 
careers and gives students the hands-on, real-world 
experience they need to enter today’s tech job market. 
With one of the best cybersecurity programs in the 
nation, Capitol is a CAE institution. Most recently, 
Capitol was awarded a two-year grant from the NSA to 
lead the CAE Northeast Regional Hub, which includes 
14 states, the District of Columbia, and hundreds 

of institutions offering cybersecurity programs. 


CARNEGIE MELLON 
UNIVERSITY 


Deepen your technical knowledge and secure competitive 
salaries at the Information Networking Institute (INI), 

a department within the highly ranked College of 
Engineering at Carnegie Mellon University (CMU). 

We offer master’s degrees in information networking, 
security and mobile and lol engineering, with a variety 
of study options so you can customize your program. 


CRYPTOCURRENCY HACKERS 


Experience modern finance technology first hand by 
visiting the Cryptocurrency Hackers stand at the Defcon 
vendor area. We distribute items relating to a number 
of projects including Monero, Bitcoin, Ethereum, and 
others. Show your cryptohacker colours with high 
quality wearables and custom badges. Try new devices 
and electronics, with access to the designers on site. 
Inform yourself of cryptocurrency science by exploring 
our infocard display rack. Our stand is your one stop 
shop for cryptocurrency hacker items and information. 


EFF 


EFF is the leading defender of online civil liberties. 
We promote innovator rights, defend free speech, 
fight illegal surveillance, and protect rights and 
freedoms as our use of technology grows. 


GIRLS HACK VILLAGE 


Girls Hack Village is designed to highlight the 
contributions and experiences of girls in cybersecurity. 
Women are underrepresented in cybersecurity and 

our goal is to highlight the female experience in the 
industry. Women are traditionally underrepresented at 
many cybersecurity conferences and Girls Hack Village 
will give attendees the opportunity to learn about 
cybersecurity and hacking in a gender-friendly place. 


HACKER WAREHOUSE 


HACKER WAREHOUSE is your one stop shop for hacking 
equipment. We understand the importance of tools and 
geet which is why we carry only the highest quality gear 
rom the best brands in the industry. From RF Hacking to 
Hardware Hacking to Lock Picks, we carry equipment that 
all hackers need. Check us out at HackerWarehovse.com. 


HACKERBOXES 


HackerBoxes is the monthly subscription box for hardware 
hacking, DIY electronics, cybersecurity, and hacker 
culture. Each monthly HackerBox includes a carefully 
curated collection де есір components, modules, 
tools, supplies, and exclusive items. HackerBox hackers 
соппесі online аз а community of experience, support, 
and ideas. Your HackerBox subscription is like having 

a tiny hacker convention in your mailbox every month. 


HACKERS FOR CHARITY 


Hackers for Charity’s mission is to provide technical 
cyber support to other non-profits and charities. Our 
efforts focus on those organizations without internal 
help desks or other technical support. As a technical 
enabler, HFC empowers those non-profits and charities 
to succeed at their mission. HFC provides the breadth 
of cyber services and disaster relief, from basic help 
Hes ii threat hunting to incident remediation. 
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brought to you by BlackGirlsHack 
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Miscreants ? 


no starch 
press 


HAK5 


Discover the devices that have found their way into 

the hearts and tool-kits of the modern hacker. Notable 

for ease of use. Celebrated by geek culture. From 
comprehensive WiFi audits to covert network implants and 
physical access mayhem - Hak5 Gear gets the job done. 


HOTWAN 


HotWAN is selling the "Pen Test Assistant" and the 
"Boot Monkey". The Assistant is Pen Test attack box 
used in Red Teaming, Penetration Testing and Hardware 
Hacking. It can be used as a drop box, pivot box 

or C2. The "Boot Monkey" provides remote access 

to the local laptop power button. This addresses 

laptop freezes. Physical touch for Power on, power 

off. Hard resets for laptops. It can also be used as a 
laptop jiggler to prevent screensavers occuring. 


KEYPORT 


Keyport@ combines keys, pocket tools, & smart 
tech into one secure everyday multi-tool. We will 
be selling our latest modular product line (co- 
branded DEFCON 30 Editions) including the 


Keyport Pivot, Modules, Inserts, and accessories. 


MISCREANTS 


Miscreants is a creative agency working with cybersecurity 
clients. Besides our design work, we're creating clothing 
heavily influenced by streetwear and security culture, 
looking to document the past, present, and future of 
cybersecurity history. As a brand, we strive to deliver 
original pieces that belong in your closet for decades. 


NO STARCH PRESS 


No Starch Press has been publishing the finest in 
Geek Entertainment since 1994 and we're glad to 
be back! We have so many new books to show you 
and even a new death metal t-shirt. Everything is 
discounted. Come by and meet some of our editors 
and our founder, Bill Pollock, before he loses his 
voice. We look forward to seeing all of you again! 


OWASP 


As the world’s largest non-profit organization 
concerned with software security, OWASP: 


- Supports the building of impactful projects; 


- Develops & nurtures communities through events 
and chapter meetings worldwide; and 


- Provides educational publications & resources 


In order to enable developers to write better 
software, and security professionals to make 
the world’s software more secure. 


PHYS SEC VILLAGE STORE 


The Physical Security Village (formerly Lock Bypass 
Village) will be present in the vendor area too this 
year, loaded with physical hacking gear! We will have 
bypass tools, common keyed-alike keys, handcuffs, 
village swag, and more. We'll have hands-on exhibits 
in the Village area where you can go and try out 
your new toys right away, without ever leaving DEF 
CON! Whether you're new to hacking the physical 
world, or a seasoned pro, we're sure we'll have 
something for your needs (or at least... something you 
really want but totally don't need). All proceeds go 
towards the cost of putting on the village each year. 


SCAM STUFF 


Scam Stuff is gear for the Modern Rogue: 
magic tricks, lock picking, puzzle boxes, spy 
gear, novelty items, and more! If it’s designed 
to get you ahead in life, you'll find it here. 


SHADOWVEX 


Purveyors of limited edition clothing, music, art and 
hacker culture. From stickers to unique NFT Art and 
0-day limited edition swag just for DEF CON 30. Follow 
the music in the vending area to find our booth! 
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THE CALYX INSTITUTE 


The Calyx Institute is a member-supported non-profit 
privacy research organization. We host Tor exit nodes, 
operate a free VPN service and are developing a 
privacy and security focused Mobile phone operating 
system, CalyxOS. Become a member and you could 
get great free membership premiums such as a 5G 

or 4G mobile hotspot with unlimited un-throttled 

& un-capped mobile data for a year, or a Google 
Pixel phone with CalyxOS pre-installed on it. 


THE TOR PROJECT 


The Tor Project is a nonprofit developing free and 

open source software to protect people from tracking, 
censorship, and surveillance online. Tor’s mission is to 
advance Шы. rights and freedoms Бу creqting апа 
deploying free and open source anonymity апа privacy 
technologies, supporting their unrestricted availability 
and use, and furthering their scientific and popular 
understanding. Stop by our table to learn more, pick 
up some gear, and find out how you can get involved. 


TOOOL 


The Open Organisation Of Lockpickers is back as 
always, offering a wide selection of tasty lock goodies 
for both the novice and master lockpicker! A variety 
of commercial picks, handmade ае custom designs, 
practice locks, handcuffs, cutaways, and other neat 
tools will be available for your perusing and enjoyment! 
Stop by our table for interactive demos of this fine 
lockpicking gear or just to pick up a T-shirt and show 
your support for locksport. All sales exclusively benefit 
Toool, a 501(c)3 non-profit organization. You can 
purchase picks from many fine vendors, but ours is 

the only table where you know that 100% of your 
money goes directly back to the hacker community. 


XCAPE, INC. 


Looking for reliable drop boxes, do you need 2.4 
& 5 GHz wireless auditing? Looking for a reliable 
and secure bastion host? Check out the Xcape 
Booth for the gear we use, make, and sell. 


Ф ZEROTIER 


ZeroTier (https://www.zerotier.com) enables users 

to deploy and maintain secure peer-to-peer overlay 
networks. Already supporting millions of devices globally, 
and with a proud open-source heritage, ZeroTier provides 
unrivaled ease of connectivity and management for 
modern networking use cases. Zerolier is trusted by 
professionals ОП E in industries including Infosec, 

IT, Cloud, Telecommunications, lol, Manufacturing, 
Media, Automotive, Aerospace, and Defense. 
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The Dark Tangent would like to thank everyone who supports 
DEF CON and the hacking community. DEF CON is possible 
because of all the hard work from the people who make up 
the following departments: CFP Review, Contests and Events, 
DCTV, Defacement, DEF CON Groups, Demo Labs, Discord 
DevOps, Dispatch, Entertainment, Forums, Hackers With 
Disabilities, Infobooth, Inhuman Registration, Infrastructure, 
Parties, Photo Corps, Press, Production, PolicyGDEFCON, 
QM Stores, Registration, the SOC, Speaker Ops, DEF CON 
Store, Vendor, Villages, and Workshops. 


Over 1,100 Goons, Creators, and speakers came together to 
organize and made DEF CON 30 happen! 


Thank you to the HQ staff for adapting as plans kept shifting: 
Bill, Cayce, Cot, Darington, Janet, Jeff, Neil, Nikita, and 
Will. Everyone had to deal with last minute changes and 
remain flexible in a year where decisions are being made 
last minute. 


Thank you to the badge designers, MK Factor, for a fantastic 
second year designing the badge and keeping it fresh with a 
human to human connection. Thank you to Zebbler Studios 
for designing the great badge stations and head to head 
music competitions. 


A special Thanks to Coastwide Promotions, The Source of 
Knowledge, Black Hat, and Caesars Entertainment - You 
have all been fantastic to work with and have gone above 
and beyond this past year. 


Thank you everyone! The 30th year milestone is amazing 
and you made it happen! 


-The Dark Tangent 


ChrisAM would like to thank everyone responsible for this 
year’s entertainment & decor: Krisz Klink, Great Scott, Zziks, 
dead, CTRL, stitch, davesbase, chOwn35; Trotfox5, COnjur3r, 
HiveQueen, sven, Zebbler Studios, SomaFM, Mobius, 
Imagine Stage Lighting, and all the DJs and artists who 
donated their time and talent to this event. 


Nikita would like to thank The Dark Tangent, Alex and 

the DC30 Content Reviewers for Talks and Workshops: 
AlxRogan, Anullvalue, Ash, Beaker, carnalOwnage, Suggy, 
Claviger, CyberSulu, DaKahuna, Dead Addict, Deanna; 
Dino, еп, LawyerLiz, HighWiz, Jay Несіу; Мадеп Wu, 
Malware Unicorn, Marcia Hoffman, Medic, n00bz, Roamer, 
Pwerack, SecBarbie, Shaggy, SinderznAshes, Snow, Solstice, 
Vyrus, Yan, Zfasel, Zoz. Massive thanks to Dept Leads, mad 
props to Janet, Мей, Bestie, Rick Astley, Buggins & Squish. 


Grifter would like to thank all of the creators and 
coordinators of the multitude of contests and events at 

DEF CON 30. The time, effort, and passion that goes into 
your events does not go unnoticed, and the entertainment 
you bring not only to the contestants, but to the general 
attendees and overall atmosphere of DEF CON is hugely 
appreciated, so thank you, thank you, thank you. A 

huge thanks also goes to the C&E Goons for making sure 
things go off without a hitch and for putting out fires when 
they're still just smoldering, so thank you to stumper, saltr, 
heisenberg, apexxor, secove, rugger, gomer, rcu83d, zero3, 
psychoticide, pOlr, CyDefe, V3rbaal, H4rOld, Kaybz, and 
Ell o Punk; this wouldn't be possible without you. Big thanks 


to the Dark Tangent, Janet, Darrington, and Will...and of 
course a massive thanks to Nikita, our light in the storm, 
without whom we would truly be lost. 


Neil would like to give a big shout out to the Defacement 
Team: Medic, S4mGOld, BigSam, харһап and pOsterboy 

for their hard work keeping you on track and aware of your 
surroundings. Huge thanks to Sleestak and Nikita for support 
on the printed program, and CotMan for getting all the 
details online. Finally, to all the department leads who got 
me everything | needed on time to make this book, it was 
tight, | know, but thank you. 


Riverside and Fox would like to thank all of the DevOps 
goons: 


Ari, BSE, cstone, Lightning, mauvehed, mcmayhem, mubix, 
Nebberz, NightWolf, respondo, TCMBC, thephreak, 
VoltageSpike. 


A shout out to the Packet Hacking Village team for being the 
bot beta testers year round. 


Thanks to all the members of our team. Alex, GhostPepper, 
Hanna, Sandwich, Tuna, skw33k, and Videoman. 


DEF CON Groups (April, Casey, Jayson, Sleestak,.800xl, 
and Brent) offer our sincerest gratitude. to DT, Nikita, and 
Will for their continued support'and amazingness throughout 
the year! Massive thanks to our amazing AltspaceVR event 
volunteers: Giglio, Xray, Charmander, AldeBaran, TX, Drip, 
and Scribbles, who created and manage a truly incredible 
virtual DC experience. We would also like to give thanks 
and recognition to ell of our global DCGs for their awesome 
work being local ‘hacker ambassadors’; Every DCG is 

an example of the great things we сап do when уе соте 
together with endless curiosity and the willingness to share 
our knowledge for the benefit of all. Each and every global 
DCG makes the world better through bits, bytes, wires, 
solder, and a lot of heart. Find your local community on 
defcongroups.org! “Н065% to you all! <3 


Heisenberg would like to thank Nikita and DT for help with 
the selection process, and a shout out to Grifter and the 
other Contest Goons for help during the con. A big shout 
out to all the folks in the community who submitted demos for 
Demolabs - this could not happen without you! 


RF and Ahab would like to thank the Dispatch Goons: 
AsmodianX, Taclane, Archangel, Fosgood, LOG1C, Rixon, 
w00k, dymz, miggles, dirtclod, dll3ma, Offroad, Merg, 
skyria, TheKillerSpud, Goon22, yosg, and Treble. 


The DEF CON Forums and all the DEF CON Servers wish 
to thank Jeff Moss Jeff for giving them meaningful purpose 
in service to DEF CON and the DEF CON Community: they 
all fight for the users! Cotman thanks Cayce, Darington, 
Janet, Jeff, Neil, Nikita, and Will for being so easy to 
work with and tolerating my need to be specific and 
explicit with details. Thanks to staff/goon from various 
departments for getting me ToDo from all the organizers 


of CVE-W-2022-08_11-14 (Contests, Villages, Events, 
Workshops for 2022 ;-) in each department necessary 

to populate the forums with details about each: Nikita, 
Magen, Paydreaux, Zantdoit, Grifter. Thanks to info.defcon. 
org peeps: Seth, Caleb, and others that work Info booth 
and department for your work on the box to keep people 
informed. Thanks to the DevOps team working on our 
Discord server: Riverside, Ari, cstone, Lightning, Fox, Mubix, 
Nightwolf, Respondo, ThePhreak, Mauvehed, Nebberz, BSE, 
VoltageSpike, and mcmayhem. Thanks to all of DEF CON 
attendees for working with each other to make DEF CON an 
enjoyable experience for everyone. :-) 


Inhuman Registration would like to #hank Cstone, Undertaker, 
Will, Nikita, Janet, Wendy, КС, МсМауһет, Cylon, 50ph33 
and all the department heads for putting up working with us. 


effffn, mac and DEF CON would like to thank the 
indefatigable NOC team for their hard work. 


Sparky, booger, CRV, cOmmiebstrd, Dp1i, c7five, Jon2, 
deadication, musa, wish, johntitor, MikeD, Toph and strange 
do a great job and work long hours so you can internetz. 


Lastly, a huge thank you to Phil, Kevin, Mable and the whole 
Caesars IT and Encore staff for going above and beyond to 
make our lives easier. 


Littlebruzer and Littleroo would like to thank all of the NFO 
goons: Otter, 50 Caliber, Aask, algorythm, ARI, BLu3fOx, 
Boudica, Bufo Alvarius, Cheshire, Commrade, D1Gger, 
dL@w, Hankashyyyk, jimi2x, Krav, Lo, madstringer, Magpie, 
MajorMayhem, Nav, Nymphaea Caerulea, Parenthetical, 
Paul, PEZHead, Razzies, ReloadRtr, S7471K, Sanchez, 
SchematicAddict, securityfirst, SmileFiles, SmoOotchy, 
Sparkle, and Viva. A shout out to the Apps and Web team: 
"Advice, aNullValue, derail, and І4ууКе for their hard work 
on the mobile applications and the web site. A special shout 
to MajorMayhem for all the helping out in a PM capacity 
and keeping the team on track.The entire NFO team would 
like to thank DT, Nikita, Janet, Will, Neil, and the rest of 
the HQ team. Without your support, we would not have 

this great conference. Thank you humans for the interesting 
questions and allowing us to tell you where to go and how 
to get there. 


0x58 would like to thank all of the parties that bring the 
noise and fun, and the meetups that bring people together 
face to face while in Las Vegas. Nikita and Janet, couldn't 
do it without you! And a thanks to my small team of boots on 
the ground: Rickglass, s3gfault, sylv3on_, and Sage! 


Beau and Matt want to give a huge thank you to all the 
people who helped make the Policy Department possible 
this year, including Winnona, Cathy Gellis, Moniru, Sarah 
Powazek, Lin Wells, Linda Wells, Duck Duck, Harley, Кого, 
Trey, Stew, Will, LawyerLiz, Ayan, AlexK, Mosfet; PWCrack; 
Nikita, Janet, William Leonard, Neil, Wednesday, апа апі. 
And especially everyone in the hacker and public policy 
communities who act as voices of reason to help'each other 
get more technical and public policy literate. 


Thank you to all théjjournalists, bloggers, and podcasters 
who contribute to building-&.documenting our community 
experiences! Over the years, it has become ever more 
apparent how important it is to be able to laugh at and learn 
from our collective history. A special thanks to the Press 
Goons who make it all possible: Claire, Jeff, and Sean. <3@ 
Wednesday & Monika 


Thanks to the Production Team members Bill, Janet, Ira, 
Proctor, Sparkles, Cybnew, Scout and Delchi for their tireless 
efforts doing <redacted>. Thanks to Cannibal, Silk, AJ702, 
and Amanda for their photo magic. Janet would like to 
thank all of you, department leads, goons, and everyone in 
between. Without you, this could not happen. 


Quartermasters Stores is brought to you this year by 

the letter Q and the number Seven. ЕТА is August 11th, 
assuming no Major Malfunction or failopen. It will be good 
to back in the SunSh1ne hanging with the YoungBlood in the 
Helium rich atmosphere, but of course keeping an eye out for 
any Buttersnatcher or sp 1kedshell at the Multigrain buffet. 
shell-e, Drimacus, alizarinMegalodon, SP3ZN45, Nanook, 
Pthamm, GBot, Cell Wizard and The Saint, I’m sorry but | 
just can’t keep this up, lol. Thank you all for being our sisters 
and brothers and keeping the shiny shiny! 


cstone from Human Registration would like to thank 
everyone on SOC, QM, Swag, IHR, the Admin team, and 
the reg goons: Ox90ebfe, Chimera, Crackerjack, funnyguy, 
holmestrix, indigo, Јор 113г, Model-A, Phear, Pozer, Prophet, 
qumqats, Temtel, Undertaker, and wralth. 


Cjunky and tacitus would like to thank: stealth, JulietBravo, 
OlFhax, thOm4s, StellarDrift, kruger, Junior, George, 

Si, Rose, nohackme, Gretchen, MOrph1x, Arc, Mouse, 
DoktorMayhem, Faz, Rez, John Doll, Rubi, Skiznotic, 
kerbear, arcon, Sif, SAGE, prOph37, cymike, Ada Zebra, 
Echo Sixx, mauvehed, do2er, TRINITY, ОгЗадп V1x3n, 
CarpeDiemT3ch, motsu, Andibrat, nesquik, Chof, GOOdn113, 
cocktail, Vaidu, Wham, mattrix, NextlnLine, Chosen], Hattori 
Hanzo, Thirsty Goat, randOh, duckie, polish dave, sl3dge, 
ZephrFish, shuu, bmOnkey, precOre, Randy. Waterhouse, 
anna, LabRat, WHITE CHRIS, Colonel Ghona, LasOmbra, 
wilnix, Scrimshaw, Priest, Glasswalk3r, zombie, Lady 
Chaos, Siviak, Geekspeed, skroo, Nothingness, Achtung, 
Baybe Doll, timball, AstOr, Logkiller, WhiteBrd, TBD, Alice 
Kalli, Yaga, BeaMeR, whiskey, Strandloper, milkyline, 

Kitty, Wreaktifier, MIM, SystM_Ov3rL04d, ВМР51, deelo, 
AlphaKilo, Brick, Sumdunce, Zerorez, Sonicos, Cherno, 
Synn, Stingray, Havoc, zerofux, JusticeStorm, Radio Active, 
Judo, stan, redoubt, Plasma, Zulu, Sami, hamster, Heylel, 
HoneyBadger, Mr. M, Binarywishes, Infojanitor, Strider, 
Krassi, Wasted, Red, nlcfury, Jbone, dr.kaos, cRusad3r, 
DrFed,and all retired SOC Goons. Pax Per Imperium. 


pwcrack would like to thank the Speaker Operations staff for 
another year of great service to DEF CON and its speakers. 
These goons are #sOsayw3all, Agent X, archwisp, Bushy, 
CLI, Code24, Crash, DaKahuna, Flattire, g8, Gattaca, 
gdead, Goekesmi, idontdrivecars, Jinx, Jurlst, Jutral, K-hole, 
kampf, kylef, MaltLiquor, manchmod, Milhouse, Mnky, 


notkevin, Pordus, Pasties, phliKtid, RoundRiver, Shadow, 
SIGAD, squirrel, stikk, SurreolKill3r, triwOlf, TruBluFan, 
usako, Vaedron and, as always, AMFYOYO! 


Kevin would like to say thanks to the whole Vendor team 
for being awesome as usual (special thanks fo Fivepenny, 
the Vendor 2nd!). Thanks to all the DEF CON departments. 
Thanks for all the vendors that came to DEF CON 30! And 
the attendees who give us all their money. And of course 
thank you to Janet, DT, and all of the DEF CON staff! 


Zantdoit would like to thank Hony and F4ux for their 
support as leads for each of the hotels. There is no way І 
would be able to do this without you. BIG thanks to DVS 
and Paydreaux for taking care of the village forums and 
Discord... keeping them up to date and organized. 


Zant, Hony, and F4ux, and the village team want to thank 
all the Village leads and organizers for everything they do 
to make DEF CON a huge success by bringing great villages 
and content here for us to experience. Thanks to DEVOPS for 
getting all the village channels organized up and running! 
Thanks: Amlazar, Athena, Broozer, clutch, config, Curtis, 
DVS, Furb, griff, Grimfodr, Hunny, Kralik, Margraf, Monster, 


Paydreaux, Raze, Respondo, Sven, Trixie, Tuh-kah-kus, Void_ 
star, Zachadakka, (Virtual) Cybersulu, Eddie the Yeti, and 
Woodpeka THANKS for all your time, help, and hard work!! 
Villages would not be possible without it. 


Magen and Sinderz would like to thank our Workshop 
goons: тау, BinaryBuddha, LawyerLiz, Integgroll, Dave, 
Beaker, Fallible, Jen and Joel Cardella, Chrissy, adamO, 
and RandomInterrupt; the Workshop Review Board and the 
instructors for all of the time and energy they volunteered 
for the community; and the teams who support us before 
and during the show (DT, Nikita, Neil, Janet, Will, Cotman, 
Darrington, QM, NOC, and SOC). 


